b"Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n         Information Technology Management\n              Letter for the FY 2008 DHS\n               Financial Statement Audit\n\n                                           (Redacted)\n\n\n\n\n Notice: The Department of Homeland Security, Office of Inspector General has redacted the report for public\n release. A review under the Federal of Information Act will be conducted upon request.\n\n\n\n\nOIG-09-50                                                                                         April 2009\n\x0c                                                                        Office of Inspector General\n\n                                                                        U.S. Department of\n                                                                        Homeland Security\n                                                                        Washington, DC 20528\n\n\n\n\n                                      April 6, 2009\n\n\n                                      Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment to\nthe Inspector General Act of 1978. This is one of a series of audit, inspection, and special\nreports prepared as part of our oversight responsibilities to promote economy, efficiency, and\neffectiveness within the department.\n\nThis report presents the information (IT) management letter for the FY 2008 DHS financial\nstatement audit as of September 30, 2008. It contains observations and recommendations\nrelated to information technology internal control that were not required to be reported in the\nfinancial statement audit report (OIG-09-09, November 2008) and represents the separate\nrestricted distribution report mentioned in that report. The independent accounting firm\nKPMG LLP (KPMG) performed the audit of the DHS FY 2008 financial statements and\nprepared this IT management letter. KPMG is responsible for the attached IT management\nletter dated December 5, 2008, and the conclusions expressed in it. We do not express\nopinions on DHS\xe2\x80\x99 financial statements or internal control or make conclusions on\ncompliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We trust\nthis report will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                      Richard L. Skinner\n                                      Inspector General\n\x0c                               KPMG LLP\n                               2001 M Street, NW\n                               Washington, DC 20036\n\n\n\nDecember 5, 2008\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer\nU.S. Department of Homeland Security\n\nChief Financial Officer\nU.S. Department of Homeland Security\n\nLadies and Gentlemen:\n\nWe were engaged to audit the accompanying consolidated balance sheet of the U.S. Department of\nHomeland Security (DHS) as of September 30, 2008, and the related statement of custodial activity for\nthe year then ended (referred to herein as \xe2\x80\x9cfinancial statements\xe2\x80\x9d). We were not engaged to audit the\nstatements of net cost, changes in net position, and budgetary resources for the year ending September 30,\n2008 (referred to herein as \xe2\x80\x9cother financial statements\xe2\x80\x9d). Because of matters discussed in our Independent\nAuditors\xe2\x80\x99 Report, dated November 14, 2008, the scope of our work was not sufficient to enable us to\nexpress, and we did not express, an opinion on the financial statements.\n\nIn connection with our fiscal year (FY) 2008 engagement, we considered DHS\xe2\x80\x99 internal control over\nfinancial reporting by obtaining an understanding of DHS\xe2\x80\x99 internal control, determining whether internal\ncontrols had been placed in operation, assessing control risk, and performing tests of controls in order to\ndetermine our procedures. We limited our internal control testing to those controls necessary to achieve\nthe objectives described in Government Auditing Standards and Office of Management and Budget\n(OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements. We did not test all\ninternal controls relevant to operating objectives as broadly defined by the Federal Managers\xe2\x80\x99 Financial\nIntegrity Act of 1982 (FMFIA). The objective of our engagement was not to provide an opinion on the\neffectiveness of DHS\xe2\x80\x99 internal control over financial reporting. Accordingly, we do not express an\nopinion on the effectiveness of DHS\xe2\x80\x99 internal control over financial reporting. Further, other matters\ninvolving internal control over financial reporting may have been identified and reported had we been\nable to perform all procedures necessary to express an opinion on the DHS balance sheet as of\nSeptember 30, 2008, and the related statement of custodial activity for the year then ended, and had we\nbeen engaged to audit the other FY 2008 financial statements.\n\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent or detect\nmisstatements on a timely basis. A significant deficiency is a control deficiency, or combination of\ncontrol deficiencies, that adversely affects DHS\xe2\x80\x99 ability to initiate, authorize, record, process, or report\nfinancial data reliably in accordance with U.S. generally accepted accounting principles such that there is\nmore than a remote likelihood that a misstatement of DHS\xe2\x80\x99 financial statements that is more than\ninconsequential will not be prevented or detected by DHS\xe2\x80\x99 internal control over financial reporting. A\nmaterial weakness is a significant deficiency, or combination of significant deficiencies, that results in\nmore than a remote likelihood that a material misstatement of the financial statements will not be\nprevented or detected by the entity\xe2\x80\x99s internal control.\n\n\n\n\n                                    KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                    member firm of KPMG International, a Swiss cooperative.\n\x0cDuring our audit, we noted certain matters involving internal control and other operational matters with\nrespect to financial systems Information Technology (IT) general and application controls. Collectively,\nwe consider these IT control weaknesses to collectively contribute to a material weakness regarding IT\nfor the FY 2008 audit of the DHS consolidated financial statements.\n\nThe material weakness described above is presented in our Independent Auditors\xe2\x80\x99 Report, dated\nNovember 14, 2008. This letter represents the separate restricted distribution report mentioned in that\nreport.\n\nThe material weakness and other comments described herein have been discussed with the appropriate\nmembers of management, or communicated through a Notice of Finding and Recommendation (NFR),\nand is intended For Official Use Only. We aim to use our knowledge of DHS\xe2\x80\x99 organization gained\nduring our audit engagement to make comments and suggestions that we hope will be useful to you. We\nhave not considered internal control since the date of our Independent Auditors\xe2\x80\x99 Report.\n\nThe Table of Contents on the next page identifies each section of the letter. In addition, we have\nprovided: a description of key DHS financial systems and information technology infrastructure within\nthe scope of the FY 2008 DHS financial statement audit in Appendix A; a description of each internal\ncontrol finding in Appendix B; and the current status of the prior year NFRs in Appendix C. Our\ncomments related to financial management and reporting internal controls have been presented in a\nseparate letter to the Office of Inspector General and the DHS Chief Financial Officer dated December 5,\n2008.\n\nThis report is intended solely for the information and use of DHS management, DHS Office of Inspector\nGeneral, OMB, U.S. Government Accountability Office, and the U.S. Congress, and is not intended to be\nand should not be used by anyone other than these specified parties.\n\n\nVery truly yours,\n\x0c                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2008\n\n\n                  INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                     TABLE OF CONTENTS\n                                                                                            Page\n\nObjective, Scope and Approach                                                                1\n\nSummary of Findings and Recommendations                                                      2\n\nIT General Control Findings by Audit Area                                                    3\n\n       Access Controls                                                                       3\n\n       Application Software Development and Change Controls                                  4\n\n       Service Continuity                                                                    5\n\n       Entity-Wide Security Program Planning and Management                                  5\n\n       System Software                                                                       6\n\n       Segregation of Duties                                                                 6\n\nApplication Control Findings                                                                 12\n\nManagement Comments and OIG Response                                                         12\n\n                                          APPENDICES\n\n    Appendix                                       Subject                                  Page\n\n\n                    Description of Key Financial Systems and IT Infrastructure within the\n        A                                                                                    13\n                    Scope of the FY 2008 DHS Financial Statement Audit Engagement\n\n\n\n        B           FY 2008 Notices of IT Findings and Recommendations                       20\n\n\n\n                    Status of Prior Year Notices of Findings and Recommendations and\n        C                                                                                    89\n                    Comparison to Current Year Notices of Findings and Recommendations\n\n\n\n        D           Management Comments                                                     131\n\x0c                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2008\n\n                             OBJECTIVE, SCOPE AND APPROACH\n\nWe were engaged to perform an audit of Department of Homeland Security (DHS) Information\nTechnology (IT) general controls in support of the fiscal year (FY) 2008 DHS balance sheet and\nstatement of custodial activity audit engagement. The overall objective of our engagement was to\nevaluate the effectiveness of IT general controls of DHS\xe2\x80\x99 financial processing environment and related IT\ninfrastructure as necessary to support the engagement. The Federal Information System Controls Audit\nManual (FISCAM), issued by the Government Accountability Office (GAO), formed the basis of our\naudit. The scope of the IT general controls assessment is described in Appendix A.\n\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist\nthem in planning their audit work and to integrate the work of auditors with other aspects of the financial\naudit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review\nthat generally should be performed when evaluating general controls and the IT environment of a federal\nagency. FISCAM defines the following six control functions to be essential to the effective operation of\nthe general IT controls environment.\n\nx   Entity-wide security program planning and management (EWS) \xe2\x80\x93 Controls that provide a framework\n    and continuing cycle of activity for managing risk, developing security policies, assigning\n    responsibilities, and monitoring the adequacy of computer-related security controls.\nx   Access control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n    programs, equipment, and facilities) to protect against unauthorized modification, loss, and disclosure.\nx   Application software development and change control (ASDCC) \xe2\x80\x93 Controls that help to prevent the\n    implementation of unauthorized programs or modifications to existing programs.\nx   System software controls (SS) \xe2\x80\x93 Controls that limit and monitor access to powerful program that\n    operate computer hardware and secure applications supported by the system.\nx   Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n    structure to prevent one individual from controlling key aspects of computer-related operations, thus\n    deterring unauthorized actions or access to assets or records.\nx   Service continuity (SC) \xe2\x80\x93 Controls that involve procedures for continuing critical operations without\n    interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our general IT controls audit, we also performed technical security testing for key\nnetwork and system devices, as well as testing over key financial application controls. The technical\nsecurity testing was performed both over the Internet and from within select DHS facilities, and focused\non test, development, and production devices that directly support DHS\xe2\x80\x99 financial processing and key\ngeneral support systems.\n\nIn addition to testing DHS\xe2\x80\x99 general control environment, we performed application control tests on a\nlimited number of DHS\xe2\x80\x99 financial systems and applications. The application control testing was\nperformed to assess the controls that support the financial systems\xe2\x80\x99 internal controls over the input,\nprocessing, and output of financial data and transactions.\n\nx   Application Controls (APC) - Application controls are the structure, policies, and procedures that\n    apply to separate, individual application systems, such as accounts payable, inventory, payroll, grants,\n    or loans.\n\n\n                                                     1\n    Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2008\n\n                  SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring FY 2008, DHS components took significant steps to improve their financial system security and\naddress prior year IT control weaknesses, which resulted in the closure of more than 40% of our prior\nyear IT control findings. Additionally, some DHS components reduced the severity of the weaknesses\nwhen compared to findings reporting in the prior year. However, during FY 2008, we continued to\nidentify IT general control weaknesses. The most significant weaknesses from a financial statement audit\nperspective include: 1) excessive unauthorized access to key DHS financial applications; 2) application\nchange control processes that are inappropriate, not fully defined, followed, or effective; 3) service\ncontinuity issues impacting DHS\xe2\x80\x99 ability to ensure that DHS financial data is available when needed.\nCollectively, the IT control weaknesses limited DHS\xe2\x80\x99 ability to ensure that critical financial and\noperational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In\naddition, these weaknesses negatively impacted the internal controls over DHS\xe2\x80\x99 financial reporting and its\noperation and we consider them to collectively represent a material weakness for DHS under standards\nestablished by the American Institute of Certified Public Accountants (AICPA). The information\ntechnology findings were combined into one material weakness regarding Information Technology for the\nFY 2008 audit of the DHS consolidated financial statements.\n\nThe FISCAM IT general control areas that continue to present a risk to financial systems data integrity\ninclude:\n\n1. Excessive access to key DHS financial applications, including; weaknesses in access documentation\n   and approval, disabling account access upon termination, instances of inadequate or weak passwords,\n   workstations, servers, or network devices were configured without necessary inactivity time-outs and\n   up-to-date anti-virus software.\n\n2. Application change control processes that are inappropriate, not fully defined, followed, or effective,\n   including instances where database scripts are not properly documented or monitored; instances\n   where changes made to the system were not always properly approved, tested, documented or\n   performed through System Change Requests (SCRs), instances where policies and procedures\n   regarding change controls were not in place to prevent users from having concurrent access to the\n   development, test, and production environments of the system, or for restricting access to application\n   system software and system support files, and policies and procedures surrounding the system\n   development life cycle (SDLC) process have not been documented or finalized.\n\n3. Service continuity issues impacting DHS\xe2\x80\x99 ability to ensure that DHS financial data is available when\n   needed, including; instances where the Continuity of Operations Plan (COOP) does not include an\n   accurate listing of critical information technology systems, did not have critical data files and an\n   alternate processing facility documented, and was not adequately tested, and various weaknesses\n   identified in alternate processing sites.\n\nWhile the recommendations made by KPMG should be considered by DHS, it is the ultimate\nresponsibility of DHS management to determine the most appropriate method(s) for addressing the\nweaknesses identified based on their system capabilities and available resources.\n\nThe individual weaknesses and findings that compose this deficiency are detailed in the following section.\n\n\n                                                     2\n   Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2008\n\n\n                  IT GENERAL CONTROL FINDINGS BY AUDIT AREA\n\nConditions: In FY 2008, the following IT and financial system control weaknesses were identified at\nDHS. Many of the issues identified during our FY 2008 engagement were also identified during FY\n2007. The following IT and financial system control weaknesses result in IT being reported as\ncontributing to a material weakness for financial system security.\n\n\n1. Access controls \xe2\x80\x93 we noted:\n   x   One component does not maintain a centralized listing of contract personnel, including\n       employment status. Additionally, non-disclosure agreements are not consistently signed by\n       contractors.\n   x   Physical access authorization forms are not documented or maintained at one component.\n       Additionally, procedures for granting access to the computer room are not documented. At\n       another component, physical access authorizations are not consistently reviewed which resulted\n       in excessive access to DHS servers.\n   x   Account management documentation was not updated when modifications were performed at one\n       component. At three components, documentation of user access authorization was not\n       maintained. Additionally, user account lists were not periodically reviewed for appropriateness,\n       resulting in inappropriate authorizations and excessive user access privileges across seven DHS\n       components.\n   x   System user roles and permissions are not documented at one component.\n   x   Access request forms are not being completed for all financial system users on a consistent basis\n       at four components.\n   x   Excessive access existed within financial applications at two DHS components.\n   x   Emergency access was not appropriately restricted or was not approved by the Information\n       System Security Manager (ISSM) at one component.\n   x   At one component, access review procedures for key financial applications do not include the\n       review of all user accounts to ensure that all terminated individuals no longer have active\n       accounts, that inactive accounts are locked, and that privileges associated with each individual are\n       still authorized and necessary.\n   x   Accounts were not disabled or removed promptly upon personnel termination at one DHS\n       component. Procedures over the process of finalizing and implementing entity-wide processes\n       for account terminations and related notifications are in draft and have not been implemented or\n       communicated at two components.\n   x   Individuals were not required to sign rules of behavior or computer access agreements prior to\n       gaining access to financial systems at two components.\n   x   Five DHS components had instances of inadequate or weak passwords that existed on key\n       systems, servers and databases that house financial data. Additionally, one component was not\n\n\n                                                    3\n   Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2008\n\n       consistently remediating password vulnerabilities identified by scans in order to mitigate weak\n       password configurations.\n   x   Instances at three components where workstations or financial applications were configured with\n       inadequate inactivity time-outs.\n   x   Instances at four components where workstations, servers, or network devices were configured\n       without necessary security patches, inadequate security configurations, or up-to-date anti-virus\n       software.\n   x   Procedures regarding the use of anti-virus software have not been finalized for one DHS\n       component.\n   x   At one component, a script which disables accounts after 30 days of inactivity was not\n       functioning appropriately for the full fiscal year.\n   x   Audit logs were not reviewed or evidence of audit log review is not retained at five DHS\n       components. At two components, audit logs were not appropriately configured to capture\n       security events. Additionally, at one component, audit logs of privileged database administrator\n       actions are not enabled or reviewed.\n   x   At one component, policy and procedures for review of audit logs are not documented.\n   x   Media sanitation procedures do not reflect the current process in place at one component.\n   x   Policy and procedures regarding implementation of Voice Over Internet Protocol (VOIP),\n       wireless technologies, cryptographic tools, and sharing data with external parties are not finalized\n       at one component.\n\n\n2. Application software development and change controls \xe2\x80\x93 we noted:\n   x   At two components, procedures over approval, testing, and documentation requirements for\n       database scripts remain in draft form. The testing, approval, and implementation documentation\n       is not consistently documented for all scripts. In addition, the components do not monitor scripts\n       run in the database through audit logging and has not developed a technical solution to monitor\n       who accesses the database to run scripts or review what scripts are run. Analysis of the database\n       scripts conducted by the components was incomplete and did not properly evaluate the financial\n       statement impact of the scripts.\n   x   Change control policies and procedures are not fully documented and implemented at three DHS\n       components.\n   x   Policies and procedures surrounding the SDLC process have not been documented or finalized\n       for the Department and one component.\n   x   Emergency and non-emergency changes were made prior to management approval. Additionally,\n       at five DHS components, instances where changes made to the system were not always\n       documented or performed through SCRs, test plans, test results, approvals, or software\n       modifications.\n   x   At two components, the contract with the support vendor did not include security configuration\n       requirements that must be adhered to during the configuration management process.\n\n                                                    4\n   Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2008\n\n   x   Policies and procedures over the authorization and use of mobile code technologies are in draft\n       form for one DHS component.\n   x   Excessive access to financial application program and support files at one component.\n\n\n3. Service continuity \xe2\x80\x93 we noted:\n   x   The COOP does not include an accurate listing of critical information technology systems, did not\n       have critical data files and an alternate processing facility documented, and was not adequately\n       tested at one DHS component. Additionally, complete testing of a current and finalized\n       Contingency Plan was not conducted for two components. At three components, the COOP and\n       Business Continuity Plans were not updated to reflect results of testing.\n   x   The Contingency Plan is not distributed or stored at off-site locations for two components.\n   x   An alternate processing site is not operational for one DHS component. In another instance, the\n       recovery facility was insufficient to fully and properly restore systems and conduct continuity\n       testing.\n   x   Documented hardware maintenance procedures do not exist at one component.\n   x   Access to the backup facility is not appropriately secured from unauthorized access at one\n       component.\n   x   Backup tapes are not tested on a quarterly basis at two components.\n\n\n4. Entity-wide security program planning and management \xe2\x80\x93 we noted:\n   x   Four components were not compliant with the requirements of the Federal Financial Management\n       Improvement Act (FFMIA).\n   x   A formal agreement has not been established between the Department and their alternate\n       processing site.\n   x   Interconnection Security Agreements (ISA) between two DHS components and external parties\n       were not in place or not finalized.\n   x   A risk assessment for a major financial application at two components has not been completed\n       and the associated System Security Plan (SSP) remains in draft form. At another component, the\n       SSP is not accurate and up-to-date.\n   x   At one component, vulnerabilities identified from periodic scans are not reported and tracked via\n       the Plan of Action and Milestones (POA&M) process.\n   x   Incident response procedures were not finalized and implemented at one component.\n   x   One component does not maintain a complete and up-to-date inventory listing of workstations.\n   x   Policies and procedures for system administrator responsibilities are not up-to-date for one\n       component.\n\n\n\n\n                                                   5\n   Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2008\n\n   x   Financial application users had not completed IT security awareness training at four components.\n       Additionally, one of these components has not implemented role-based security awareness\n       training.\n   x   At two components, policies or procedures have not been implemented to require that a favorably\n       adjudicated background investigation be completed for all contractor personnel.\n   x   Background investigations for all civilian employees have not been completed and civilian\n       position sensitivity designations have not been determined in accordance with DHS guidance at\n       two components.\n   x   Contractors and employees without completed background investigations retained access in DHS\n       systems at one component.\n   x   At one component, procedures surrounding the system used to track contractor personnel data\n       have not been formally documented.\n   x   Termination forms were not consistently completed and documented for separated employees and\n       contractors at two components.\n\n\n5. System software \xe2\x80\x93 we noted:\n   x   At two components, security patch management weaknesses exist on hosts supporting the key\n       financial applications and general support systems.\n   x   Security configuration management weaknesses exist at three components on hosts supporting the\n       key financial applications and the underlying general support systems.\n   x   At one component, procedures for identifying and installing patches are in draft and have not\n       been implemented.\n   x   Monitoring and patch distribution software is not installed on all workstations at one component.\n   x   Policy and procedures for restricting access to system software have not been developed at one\n       component.\n   x   System specific policies and procedures to review system software activity have not been\n       developed at one component.\n   x   Evidence of system software audit log review is not retained at one DHS component.\n\n\n6. Segregation of duties \xe2\x80\x93 we noted:\n   x   Segregation of duties policies have not been developed at one component.\n   x   Instances at two components where policies and procedures regarding change controls were not\n       in place to prevent users from having concurrent access to the development, test, and production\n       environments of the system, or for restricting access to application system software and system\n       support files.\n   x   Evidence of the review of system programmer actions with access to production financial servers\n       is not documented at one component.\n\n                                                   6\n   Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2008\n\n   x    At one component, financial system users have the ability to create and approve payment\n        vouchers.\n\n\nRecommendations: We recommend that the DHS Office of Chief Information Officer (OCIO), in\ncoordination with the DHS Office of Chief Financial Officer (OCFO), and the DHS component OCIOs\nand OCFOs make the following improvements to the Department\xe2\x80\x99s financial management systems:\n1. For access controls:\n   a) Develop and maintain a centralized listing of contract personnel and require all contractors to sign\n      non-disclosure agreements;\n   b) Develop and appropriately implement a physical access authorization process to ensure that\n      physical access requests are completed and documented for all individuals prior to granting\n      access to sensitive facilities;\n   c) Develop and appropriately implement an access authorization process that ensures that a request\n      is completed and documented for each individual prior to granting him/her access to a financial\n      application or database;\n   d) Document financial system user roles and permissions;\n   e) Implement an account management certification process within all the components to ensure the\n      periodic review of user accounts for appropriate access;\n   f) Develop and implement procedures that will appropriately restrict the use of emergency or\n      temporary access within DHS systems and that require documented supervisory approval from\n      the ISSM confirming this access is needed;\n   g) Implement a process to ensure that all accounts of terminated individuals from the system are\n      immediately removed/end-dated/disabled upon their departure. This includes both terminated\n      employees and contractors;\n   h) Ensure that all individuals sign a rules of behavior or computer access agreement document prior\n      to granting him/her access to a financial application or database;\n   i)   Enforce password controls that meet DHS\xe2\x80\x99 password requirements on all key financial systems.\n        Conduct periodic vulnerability assessments, whereby systems are periodically reviewed for\n        access controls not in compliance with DHS and Federal guidance and ensure that action is taken\n        to remediate any security weaknesses identified;\n   j)   Enforce inactivity time-outs on all workstations and applications as required by DHS policy;\n   k) Complete procedures regarding the use of anti-virus software. Develop procedures to regularly\n      review and monitor workstations and servers to ensure that the most up-to-date patches, necessary\n      security configurations, and virus protection software is installed;\n   l)   Ensure that all accounts that have been inactive for over 30 days are disabled as required by DHS\n        policy;\n   m) Develop and implement detailed procedures requiring the review of operating system and\n      application logs for suspicious activity and conduct audit log reviews on a consistent and timely\n      basis;\n\n\n                                                    7\n   Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2008\n\n   n) Develop and implement media sanitation procedures that are consistent with DHS policy and the\n      current practices in place; and\n   o) Finalize and implement policy and procedures regarding VOIP, wireless technologies,\n      cryptographic tools, and sharing data with external parties.\n\n\n2. For application software development and change control:\n   a) Implement and better document a single, integrated script change control process that includes\n      clear lines of authority to financial and IT management personnel, enforced responsibilities of all\n      participants in the process, and documentation requirements. Additionally, continue efforts to\n      complete an in-depth analysis of active scripts, with the following objectives: All changes to\n      active scripts and new scripts should be subject to an appropriate software change control process\n      to include testing, reviews, and approvals and all active scripts should be reviewed for impact on\n      financial statement balances;\n   b) Implement a single, integrated change control process over the DHS components\xe2\x80\x99 financial\n      systems with appropriate internal controls to include clear lines of authority to the components\xe2\x80\x99\n      financial management personnel and to enforce responsibilities of all participants in the process\n      and documentation requirements. Further develop and enforce policies that require changes to\n      the configuration of the system are approved and documented, and audit logs are activated and\n      reviewed on a periodic basis;\n   c) Develop, document and implement a formalized SDLC process;\n   d) Ensure that all contracts with support vendors document all responsibilities and requirements of\n      the change controls process;\n   e) Develop and implement formal policies and procedures for restricting access to DHS system\n      software, and promulgate it to all needed personnel, to be in compliance with the DHS Sensitive\n      System Policy Directive 4300A; and\n   f) Finalize and implement policies and procedures over the authorization and use of mobile code\n      technologies.\n\n\n3. For service continuity:\n   a) Update the COOP to document and prioritize an accurate listing of critical IT systems;\n   b) Perform testing of key service continuity capabilities, including contingency planning. Ensure\n      that all contingency plans and related documentation are updated upon completion of testing;\n   c) Ensure that contingency plans and emergency documentation are distributed to the appropriate\n      individuals and are stored off-site;\n   d) Ensure that alternate processing sites are made operational;\n   e) Document and implement hardware maintenance procedures;\n   f) Establish and implement a procedure for authorizing and maintaining a backup facility access list\n      to ensure that only authorized individuals are granted access; and\n   g) Test backups at least quarterly.\n\n                                                   8\n   Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2008\n\n\n4. For entity-wide security program planning and management:\n   a) Develop and implement corrective action plans to address and remediate identified instances of\n      non-compliance with FFMIA. Continue to improve and monitor component compliance with\n      applicable DHS and Federal security requirements.\n   b) Ensure that that formal agreements with service providers are established and finalized;\n   c) Ensure that ISAs are documented and finalized between DHS components and all external\n      parties;\n   d) Finalize and implement the certification and accreditation package for all key financial systems in\n      accordance with DHS and National Institute of Standards and Technology (NIST) guidance;\n   e) Ensure that all vulnerabilities and weaknesses are reported and tracked via the POA&M process.\n   f) Develop procedures to regularly review and monitor the workstations to ensure that monitoring\n      software is installed on all machines;\n   g) Ensure that new and existing workstations are accounted for in an appropriate fashion;\n   h) Review of policies and procedures for security administrators to reflect the current operating\n      environment;\n   i)   Ensure that IT security awareness training is completed by all personnel;\n   j)   Create and implement contractor background investigation policies and procedures in order to\n        establish requirements and ensure compliance with the DHS Sensitive System Policy Directive\n        4300A. This includes the verification that all contracts include the appropriate position\n        sensitivity designation requirements for contracted personnel;\n   k) Perform initial background investigations and re-investigations for civilian employees in\n      accordance with position sensitivity designations at no less than the Moderate level as required by\n      DHS directives. In addition, conduct civilian background re-investigations every ten (10) years,\n      as required by DHS directives;\n   l)   Finalize, communicate, and distribute procedures over contractor tracking. In addition,\n        continuously monitor controls over the contractor tracking system to verify that contractor data\n        within the system remains current and accurate; and\n   m) Implement an automated process or system that will notify system owners of terminated\n      contractor, military, and civilian personnel. Additionally, ensure that employee exit procedures\n      are implemented for all separating personnel.\n\n\n5. For system software:\n   a) Implement a patch management and security configuration process, and enforce the requirement\n      that systems are periodically tested by DHS components and the DHS Office of Chief\n      Information Officer. Additionally, perform corrective actions on the specific patch and\n      configuration weaknesses identified;\n   b) Actively monitor the use of and changes related to operating systems and other sensitive utility\n      software and hardware;\n\n                                                    9\n  Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2008\n\n    c) Develop and implement procedures for reviewing system software activity; and\n    d) Develop and implement policy and procedures for restricting access to system software.\n\n\n6. For segregation of duties:\n    a) Develop and implement segregation of duties policies. Ensure that segregation of duties policies\n       are enforced for all financial systems;\n    b) Develop and implement procedures to perform a periodic review of access to financial\n       application software and support files to determine whether access is valid, consistent with job\n       responsibilities, and according to the least privilege principle. Remove excessive access to the all\n       DHS financial application software and support files; and\n    c) Monitor the activities of system programmers as well as the use of operating systems software\n       and other sensitive utility software and hardware. Retain evidence of the reviews.\n\n\n\nCause/Effect: Many of these weaknesses were inherited from the legacy agencies that came into DHS or\nsystem development activities that did not incorporate strong security controls from the outset and will\ntake several years to fully address. At many of the larger components, IT and financial system support\noperations are decentralized, contributing to challenges in integrating DHS IT and financial operations.\nIn addition, financial system functionality weaknesses, as discussed throughout our report on internal\ncontrols in various processes, can be attributed to non-integrated legacy financial systems that do not have\nthe embedded functionality required by Office of Management and Budget (OMB) Circular No. A-127,\nFinancial Management Systems. In addition, Component-level IT divisions do not always have sufficient\nresources to direct towards the implementation of security controls in a consistent manner. Additionally,\ncorrective actions necessary to mitigate the weaknesses often take multiple years before they take hold.\n\nA contributing cause to the numerous repeated findings is that DHS lacks an effective agency-wide\nmethod of tracking the remediation progress made on findings at various components. In addition, while\nthe components have made improvements in addressing the root cause of IT weaknesses, we found that\nfocus is often placed on the tracking of response to audit recommendations, instead of on developing the\nmost effective method of addressing the actual control weakness. When weaknesses in controls or\nprocesses are identified, the corrective actions address the symptom of the problem and do not the correct\nroot cause which amounts to a temporary fix.\n\nFurther, insufficient testing of IT controls and testing of remediation activities by individual DHS\ncomponents and by the DHS CIO limits DHS\xe2\x80\x99 ability to confirm that IT weaknesses are addressed. The\nmost prevalent reason as to why these weaknesses are present is the lack of prioritization in taking the\nnecessary actions to improve the IT control environment around the Department\xe2\x80\x99s financial management\nsystems.\n\nThe effect of these numerous IT weaknesses identified during our testing impacts the reliability of DHS\xe2\x80\x99\nfinancial data. Many of these weaknesses, especially those in the area of change control, may result in\nmaterial errors in DHS\xe2\x80\x99 financial data that are not detected, in a timely manner, in the normal course of\nbusiness. In addition, as a result of the continuous presence of serious IT weaknesses, there is added\npressure on the mitigating manual controls to be operating effectively at all times. Since manual controls\n\n                                                    10\n   Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2008\n\nare operated by people, there cannot be a reasonable expectation that they would be able to be in place at\nall times and in all areas.\n\nCriteria: The Federal Information Security Management Act (FISMA) passed as part of the Electronic\nGovernment Act of 2002, mandates that Federal entities maintain IT security programs in accordance with\nOMB and NIST guidance. OMB Circular No. A-130, Management of Federal Information Resources, and\nvarious NIST guidelines describe specific essential criteria for maintaining effective general IT controls. In\naddition OMB Circular No. A-127 prescribes policies and standards for executive departments and agencies\nto follow in developing, operating, evaluating, and reporting on financial management systems. FFMIA sets\nforth legislation prescribing policies and standards for executive departments and agencies to follow in\ndeveloping, operating, evaluating, and reporting on financial management systems. The purpose of FFMIA\nis: (1) to provide for consistency of accounting by an agency from one fiscal year to the next, and uniform\naccounting standards throughout the Federal Government; (2) require Federal financial management systems\nto support full disclosure of Federal financial data, including the full costs of Federal programs and activities;\n(3) increase the accountability and credibility of federal financial management; (4) improve performance,\nproductivity and efficiency of Federal Government financial management; and (5) establish financial\nmanagement systems to support controlling the cost of Federal Government. In closing, for this year\xe2\x80\x99s IT\naudit we assessed the DHS component\xe2\x80\x99s compliance with the DHS Sensitive System Policy Directive 4300A.\n\n\n\n\n                                                     11\n   Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2008\n\n                             APPLICATION CONTROL FINDINGS\n\nCondition: In FY 2008, the following IT application control weakness was identified at DHS. This\napplication control weakness, in combination with the IT and financial system control weaknesses\ndetailed above result in IT being reported as contributing to a material weakness for financial system\nsecurity.\n\nFour (4) contractors and an additional user account used by contractors had super user access privileges\nwithin the core financial system at one component. Based on notification of this weakness, component\nmanagement responded by removing the access as of September 24, 2008.\n\nRecommendation: No recommendation was issued as the weakness was remediated by the component\nupon notification.\n\n\n                    MANAGEMENT COMMENTS AND OIG RESPONSE\n\nWe obtained written comments on a draft of this report from the DHS CIO, DHS Acting CFO, and DHS\nCISO. Generally, the DHS management agreed with all of our findings and recommendations. The DHS\nmanagement has developed a remediation plan to address these findings and recommendations. We have\nincorporated these comments where appropriate and included a copy of the comments at Appendix D.\n\nOIG Response\n\nWe agree with the steps that DHS management is taking to satisfy these recommendations.\n\n\n\n\n                                                    12\n   Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                             Appendix A\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2008\n\n\n\n\n                                   Appendix A\n\nDescription of Key Financial Systems and IT Infrastructure within\n    the Scope of the FY 2008 DHS Financial Statement Audit\n                          Engagement\n\n\n\n\n                                          13\n Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                               Appendix A\n\n                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2008\n\n\nBelow is a description of significant financial management systems and the supporting Information\nTechnology (IT) infrastructure included in the scope of the engagement to perform the financial statement\naudit.\n\n\n\n    Locations of Audit: ICE Headquarters (HQ) in Washington, D.C\n\n\n    Key Systems Subject to Audit:\n\n                                                    \xe2\x80\x93 ICE owns and operates           . ICE performs\n    accounting services for other DHS components, such as the United States Citizen and Immigration\n    Services, Management Directorate, Science and Technology Directorate, and US-Visit, using\n    per the shared services agreement these agencies have with ICE.           is a commercial off-the-shelf\n    financial reporting system that was fully implemented in fiscal year (FY) 2003.          is the official\n    system of record and is built in                                                                 . It\n    includes the core system used by accountants,                  that is used by standard users, and a\n                              payroll interface.      supports all USCIS/ICE core financial processing\n    and uses a Standard General Ledger (SGL) for the accounting of agency financial transactions.\n\n\n\n\n    Locations of Audit: USCIS HQ in Washington, D.C\n\n    Key Systems Subject to Audit:\n\n    x          \xe2\x80\x93 The ICE component owns and operates               . ICE performs the financial reporting\n        function for USCIS, using           per the shared services agreement with USCIS.            is a\n        commercial off-the-shelf financial reporting system that was fully implemented in FY 2003.\n               is the official system of record and is built in                   . It includes the core\n        system used by accountants,                    , which is used by average users, and a National\n        Finance Center payroll interface.           supports all USCIS core financial processing.\n        uses a SGL for the accounting of agency financial transactions.\n\n    x                                                    -                 provides USCIS with a\n        decentralized        based system that supports the requirements of the Direct Mail Phase I and II,\n        Immigration Act of 1990 (IMMACT 90, Pub. L. No. 101-649) and USCIS forms improvement\n        projects. The                  is located at each of the service centers\n                                                                      . The main purpose of\n        is to enter and track immigration applications.\n\n    x             - The purpose of           is to track and manage naturalization applications.\n        resides on multiple platforms, including a                                       .            data is\n\n                                                     14\n   Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                           Appendix A\n\n                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2008\n\n    centrally stored within one                      Software is developed and maintained in the\n    relational database and                           environments.\n\n\n\n\nLocations of Audit: Coast Guard HQ in Washington, DC\n\n\n                                                      .\n\nKey Systems Subject to Audit:\n\nx                                   \xe2\x80\x93       is the core accounting system that records financial\n    transactions and generates financial statements for the Coast Guard.        is hosted at\n    the Coast Guard\xe2\x80\x99s primary data center. It is a customized version of                     .\n\nx                                           \xe2\x80\x93 The       application is used to create and post\n    obligations to the core accounting system. It allows users to enter funding, create purchase\n    requests, issue procurement documents, perform system administration responsibilities, and\n    reconcile weekly program element status reports.       is interconnected with the            .\n\nx                                                -    is the document image processing system,\n    which is integrated with an                                                  allows electronic\n    data and scanned paper documents to be imaged and processed for data verification,\n    reconciliation and payment.      utilizes                     to scan documents and to view\n    the images of scanned documents and to render images of electronic data received.\n                             is a commercial product used to reconcile payment information retrieved\n    from the United States Department of the Treasury.             reconciles items that Treasury has\n    paid for Coast Guard, with items      has paid to Treasury. This system is hosted on a\n\n\nx                                                               -           is a Microsoft Access\n    Database and is maintained at            and information from       is uploaded to this instance\n    monthly. After reconciliation,            information is uploaded into\n\nx                                                 -         is a mainframe application used for\n    paying Coast Guard active and reserve personnel\xe2\x80\x99s payroll.\n\nx                 -                is the system of record and all functionality, data entry, and\n    processing of payroll events is conducted exclusively in                .\n\n                                                         \xe2\x80\x93 Formerly named the\n                                              is hosted at             is the primary financial\n\n\n\n                                                 15\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                           Appendix A\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2008\n\n    application for the\n\n\nx                                -                       , is a web-based application designed to\n    automate the management of Coast Guard\xe2\x80\x99s vessel logistics by supporting the following\n    functions: configuration, maintenance, supply and finance.\n\nx                                     -      is hosted at the Coast Guard\xe2\x80\x99s      and provides core\n    information about the USCG shore facility assets and facility engineering. The application tracks\n    activities and assists in the management of the                         Program and the\n                       Program.\n\n\n\n\nLocations of Audit: The                                         in                       and the\n\n\nKey Systems Subject to Audit:\n\nx                                                           -      is CBP\xe2\x80\x99s financial management\n    system that consists of a \xe2\x80\x98core\xe2\x80\x99 system, which supports primary financial accounting and\n    reporting processes, and a number of additional subsystems for specific operational and\n    administrative management functions.          is a client/server-based financial management system\n    that was implemented beginning in FY 2004 to ultimately replace the\n                                      -based financial system using a phased approach.\n\nx                                             \xe2\x80\x93       is a collection of business process mainframe-based\n    systems used by CBP to track, control, and process all commercial goods, conveyances and\n    private aircraft entering the U.S. territory for the purpose of collecting import duties, fees, and\n    taxes owed to the Federal government. Key application software within              includes systems\n    for data input/output, entry and entry summary, and collection of revenue.\n\n                                                 -      is the commercial trade processing system\n    being developed by CBP to facilitate trade while strengthening border security.       is being\n    deployed in phases, with a final full deployment scheduled for FY 2010. As        is partially\n    implemented now and processes a significant amount of revenue for CBP,          was included in a\n    limited scope in the FY 2008 financial statement audit. The\n\n\n\n\n                                                 16\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                          Appendix A\n\n                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2008\n\n\n\n\nLocation of Audit: DHS HQ in Washington, D.C.\n\nKey Systems Subject to Audit:\n\nx                                                        \xe2\x80\x93 The system of record for the DHS\n    consolidated financial statements is         The DHS components update           on a monthly\n    basis with data extracted from their core financial management systems.          subjects\n    component financial data to a series of validation and edit checks before it becomes part of the\n    system of record. Data cannot be modified directly in          but must be resubmitted as an input\n    file.\n\nx                                          \xe2\x80\x93              interfaces with       and is used for the\n    consolidation of the financial data and the preparation of the DHS financial statements.\n           is also administered by Treasury.\n\n    The       and             applications reside on the Department of Treasury\xe2\x80\x99s network and are\n    administered by Treasury. Treasury is responsible for the administration of the\n                                   and the                                       . The DHS Office of\n    Financial Management is responsible for the administration of DHS user accounts within the\n                                      .\n\n\n\n\nLocation of Audit: FLETC HQ in\n\n\nKey Systems Subject to Audit:\n\nx                - FLETC\xe2\x80\x99s core financial management system that processes financial documents\n    generated by various FLETC divisions in support of procurement, payroll, budget and accounting\n    activities. All financial, procurement and budgeting transactions where the FLETC is involved\n    are processed by\n\n                             FLETC\xe2\x80\x99s procurement management system, which is used for the\n    tracking of procurement activities at various FLETC locations.                          is a system\n    used to input requisitions for the acquisition of goods and services.\n    purpose is to process contractual documents generated by FLETC in support of procurement\n    activities. The system resides on an                  and the front-end of the system is integrated\n    with\n\n\n\n\n                                                17\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                           Appendix A\n\n                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2008\n\n\n\nLocations of Audit: FEMA HQ in Washington, D.C.,\n\n\nKey Systems Subject to Audit:\n\nx                                                                  \xe2\x80\x93       is the key financial\n    reporting system, and has several feeder subsystems (budget, procurement, accounting, and other\n    administrative processes and reporting).\n\nx                                                                    \xe2\x80\x93        is an integrated system\n    to provide FEMA, the states, and certain other federal agencies with automation to perform\n    disaster related operations.        supports all phases of emergency management, and provides\n    financial related data to      via an automated interface.\n\nx                                                           - The       application acts as a central\n    repository of all data submitted by the Write Your Own (WYO) companies.             also supports\n    the WYO program, primarily by ensuring the quality of financial data submitted by the WYO\n    companies to                  is                              that runs on the\n                                mainframe logical partition in                      .\n\nx             - The general ledger application used by                                            to\n    generate the        financial statements.           is a client-server application that runs on a\n               server in                      which is secured in the local area network room. The\n             client is installed on the desktop computers of the         Bureau of Financial Statistical\n    Control group members.\n\nx                                            -       is a web based application which was developed\n    by Digital Systems Group specifically for FEMA grants.            allows grantees access to their\n    grant funds as well as upload          online. Draw down transaction information from             is\n    interfaced with                 then interfaces with Treasury to transfer payment information to\n    Treasury, resulting in a disbursement of funds to the grantee.\n\n\n\n\nLocations of Audit: TSA HQ in Washington, D.C.\n\n\nKey Systems Subject to Audit:\n\nx        \xe2\x80\x93       is the core accounting system that records financial transactions and generates\n    financial statements for the Coast Guard.        is hosted at the                        in\n\n\n                                                 18\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                          Appendix A\n\n                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2008\n\n                       .       interfaces with         Additionally,           fixed asset module for\n    property management is interconnected to the                       that is hosted at\nx         \xe2\x80\x93 The      application used to create and post obligations to the core accounting system. It\n    allows users to enter funding, create purchase requests, issue procurement documents, perform\n    system administration responsibilities, and reconcile weekly program element status reports.\n    is interconnected with the       and                     and is located at the\n\n\nx                         is a customized third party commercial off the shelf product used for\n                                       property management.                 interacts directly with the\n    fixed asset module in      Additionally,            is interconnected to the\n\n\n\n\nLocations of Audit: DHS HQ                           The DHS-CIO is responsible for setting security\nand control related policy and guidance for the department. If any issues were identified during the\naudit that resulted in the DHS-CIO being the responsible party, an NFR was issued directly to them.\n\nKey Systems Subject to Audit: N/A\n\n\n\n\n                                                19\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                            Appendix B\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2008\n\n\n\n\n                                   Appendix B\n\nFY2008 Notices of IT Findings and Recommendations - Detail by\n                DHS Organizational Element\n\n\n\n\n                                         20\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                Appendix B\n                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2008\n\n\n\nNotices of Findings and Recommendation \xe2\x80\x93 Definition of Risk Ratings:\n\nThe Notices of Findings and Recommendations (NFR) were risk ranked as High, Medium, and Low\nbased upon the potential impact that each weakness could have on the DHS component\xe2\x80\x99s IT general\ncontrol environment and the integrity of the financial data residing on the DHS component\xe2\x80\x99s financial\nsystems, and the pervasiveness of the weakness. The risk ratings are intended only to assist management\nin prioritizing corrective actions, considering the potential benefit of the corrective action to strengthen\nthe IT general control environment and/or the integrity of the DHS consolidated financial statements.\nCorrection of some higher risk findings may help mitigate the severity of lower risk findings, and\npossibly function as a compensating control. In addition, analysis was conducted collectively on all\nNFRs to assess connections between individual NFRs, which when joined together could lead to a control\nweakness occurring with more likelihood and/or higher impact potential. The risk ratings, used in this\ncontext, are not defined by Government Auditing Standards, issued by the Comptroller General of the\nUnited States, or the American Institute of Certified Public Accountants (AICPA) Professional Standards,\nand do not necessarily correlate to a significant deficiency, as defined by the AICPA Professional\nStandards and reported in our Independent Auditors\xe2\x80\x99 Report on the DHS consolidated financial\nstatements, dated November 14, 2008.\n\nHigh Risk: A control weakness that is more serious in nature affecting a broader range of financial IT\nsystems, or having a more significant impact on the IT general control environment and /or the integrity\nof the financial statements as a whole.\n\nMedium Risk: A control weakness that is less severe in nature, but in conjunction with other IT general\ncontrol weaknesses identified, may have a significant impact on the IT general control environment and /\nor the integrity of the financial statements as a whole.\n\nLow Risk: A control weakness minimal in impact to the IT general control environment and / or the\nintegrity of the financial statements.\n\nThe risk ratings included in this report are intended solely to assist management in prioritizing its\ncorrective actions.\n\n\n\n\n                                                     21\n   Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                         Appendix B\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2008\n\n\n\n\n                Department of Homeland Security\n                 FY2008 Information Technology\n     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n         \xc2\x84   United States Citizenship and Immigration Services\n\n\n\n\n                                         22\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                   Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                  Department of Homeland Security\n                                        United States Citizenship and Immigration Services\n                                                   FY2008 Information Technology\n                                       Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n\n                                                                                                                                   Repeat    Risk\nNFR #                      Condition                                      Recommendation                               New Issue\n                                                                                                                                    Issue   Rating\nUSCIS-     The        has not defined or           Define and document the various                   roles and their                  X     Medium\nIT-08-01   documented the appropriate user         associated user permissions.\n           permissions for the various roles\n           granted to\nUSCIS-           does not perform periodic         x   Annually review and approve the list of employees stating the                 X      Medium\nIT-08-02                     user access reviews       appropriate level of access for each      employee with\n           to ensure that users' level of access       access to\n           remains appropriate.                    x Annually review the list of                    system and\n                                                       database administrators as well as review and approve the\n                                                       access level list; and\n                                                   x Ensure necessary adjustments in\n                                                       account access levels are accomplished based on the input.\nUSCIS-     Management at the CIS HQ and the        Establish and enforce procedures for the completion and                           X      Medium\nIT-08-03   Service Centers                         maintenance of user access forms for\n                               ) has not\n           completed or inadequately completed\n           access forms for\n                       and Citizenship and\n           Immigration Services\n\n           system users.\n\n\n\n\n                                                                     23\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                    Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n\n                                                                                                                                    Repeat    Risk\nNFR #                    Condition                                        Recommendation                                New Issue\n                                                                                                                                     Issue   Rating\nUSCIS-     The        has not defined or           Define and document the various                   roles and their                   X      Low\nIT-08-04   documented the appropriate user         associated user permissions.\n           permissions for the various roles\n           granted to\nUSCIS-     Access to USCIS server cage is not      x    Establish and implement a procedure for authorizing and            X                 Medium\nIT-08-06   reviewed to determine whether access         maintaining a current cage (server room) access list.\n           is appropriate and authorized, and      x Establish and implement emergency exit and re-entry\n           USCIS does not provide oversight of          procedures. In addition, develop a process that assures all\n           the services the                             resources with access to the USCIS resources adhere to the\n           is to provide.                               policy and procedure.\nUSCIS-     Documented media sanitation             We recommend that USCIS update their policies and procedures            X                 Medium\nIT-08-07   procedures do not reflect the current   to reflect their current media sanitization operation.\n           processes at USCIS.\nUSCIS-     USCIS does not recertify its system     Management should establish a more timely process to perform a          X                 Medium\nIT-08-08   administrator accounts on an annual     periodic review of user accounts ensuring proper authorization and\n           basis.                                  training.\n\n\n\n\n                                                                     24\n                  Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                         Appendix B\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2008\n\n\n\n\n                Department of Homeland Security\n                 FY2008 Information Technology\n     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n                \xc2\x84   Immigration and Customs Enforcement\n\n\n\n\n                                         25\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                  Appendix B\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2008\n\n\n                                                 Department of Homeland Security\n                                                  FY2008 Information Technology\n                                      Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                                Immigration and Customs Enforcement\n\n                                                                                                                                Repeat    Risk\nNFR #                      Condition                                          Recommendation                        New Issue\n                                                                                                                                 Issue   Rating\nICE-IT-   During our FY 2008 follow-up, we noted           x   Develop and implement a written policy                  X                 Medium\n 08-04    the following:                                       discussing the standard process for requesting,\n                    authorizes user access for                 authorizing, and granting           access for all\n               for several DHS components; however,            users. This policy should include users and\n               they lack a process to document,                system administrators at the various Bureaus\n               maintain or monitor user access forms           that ICE supports, as well as ICE system\n               from all components that use                    administrators and users. This written policy\n                                                               should outline the responsibilities of the system\n          x   Procedures for periodically recertifying         administrators, to include the procedures for\n              and reviewing privileged                         maintaining the access request forms for all\n              accounts were not established until              users, and ICE\xe2\x80\x99s responsibility to periodically\n              June 2008.                                       monitor all system administrators to ensure they\n                                                               are following the appropriate procedures.\n                                                           x Enhance procedures for annually recertifying\n                                                                        administrator accounts to ensure that the\n                                                               recertification procedures are executed properly.\nICE-IT-                    contingency plan was not        No recommendation will be offered as this issue was         X                   Low\n 08-09    distributed to the offsite locations             corrected upon notification.\n          designated to support ICE in case of an\n          emergency.\nICE-IT-                    backup facility access is not   We recommend ICE develop procedures                 to      X                   Low\n 08-10    appropriately secured from unauthorized          periodically review the backup facility\n          access.                                                           , and update it accordingly.\n\n\n\n\n                                                                         26\n                  Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                         Appendix B\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2008\n\n\n\n\n                Department of Homeland Security\n                 FY2008 Information Technology\n     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n                    \xc2\x84     Customs and Border Protection\n\n\n\n\n                                          27\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                       Appendix B\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2008\n\n\n                                                Department of Homeland Security\n                                                 FY2008 Information Technology\n                                     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                                     Customs and Border Protection\n\n                                                                                                                         New     Repeat    Risk\nNFR #                           Condition                                           Recommendation\n                                                                                                                         Issue    Issue   Rating\nCBP-IT-   We noted that significant progress has been made           We believe that work should continue to review                 X     Medium\n 08-02    at addressing this persistent finding. We noted            and maintain a listing of active connections with\n          that a full listing of connections to         has been     the     and account for each connection with a\n          developed and is maintained. However, we also              documented\n          noted that there are active connections to          that\n          still do not have a documented           in place.\n          Work is progressing within CBP to address the\n          missing          but as of testing, we noted that not\n          all connections had a documented\nCBP-IT-   CBP does not maintain a centralized listing of             We recommend that CBP continue work on the                    X      Medium\n 08-03    contract personnel, including employment status.                                         to ensure that all\n          Currently, CBP only maintains contractor                   CBP contractors are included in the database\n          information for OIT contractors. While this is a           and that the data for each contractor is complete\n          majority of CBP contractors, it does not include all       and accurate.\n          CBP contractors. Additionally, as a result of\n          additional test work we noted data validity issues\n          in the                                 .\n\n\n\n\n                                                                          28\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                     Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n\n                                                                                                                       New     Repeat     Risk\nNFR #                          Condition                                           Recommendation\n                                                                                                                       Issue    Issue    Rating\nCBP-IT-   We noted the following issues in regards to               We recommend that CBP properly configure the                  X       Low\n 08-08    Security Audit Logs for                                   application to capture appropriate data per DHS\n          x A solution has been implemented to track and            policy. We further recommend that a method\n               monitor security and audit related activity but      for generating and reviewing security audit logs\n               has not been operational for the entire FY           be developed for             according to CBP\n               2008.                                                and DHS policy, to detect potential security\n          x There is a configuration weakness for                   events.\n               capturing security and audit related activity in\n               the\n               application. The configuration has changed on\n               multiple occurrences in regards to tracking\n               activity for the \xe2\x80\x98Logon to Account\xe2\x80\x99 field in FY\n               2008.\n          x There is no defined method to generate and\n               review security audit logs for security\n               violations for the\nCBP-IT-   We noted that during FY 2008, CBP implemented             We recommend that CBP ensure that the                        X        Low\n 08-09    a script to disable accounts after 30 days of             updated script runs regularly on the system to\n          inactivity. However, we noted that the script was         disable user accounts after the DHS-specified\n          not functioning appropriately for the full fiscal         period of inactivity.\n          year and was fixed during the third quarter of FY\n          2008.\nCBP-IT-   As noted in FY 2007, we noted that                        We recommend that CBP develop procedures to                  X      Medium\n 08-12               is not installed on all workstations for the   regularly review and monitor the workstations\n          majority of the fiscal year. Specifically, we noted       that have                installed and perform\n          that as of 3/31/2008, 4,751 workstations out of           inquiries to determine why identified\n          50,282 accounted for workstations do not have             workstations do not have        installed.\n                             installed.\n\n\n\n\n                                                                         29\n               Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                   Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n\n                                                                                                                     New     Repeat    Risk\nNFR #                          Condition                                        Recommendation\n                                                                                                                     Issue    Issue   Rating\nCBP-IT-   We noted that while progress has been made in           We recommend that CBP work with                               X     Medium\n 08-13    accounting for all CBP workstations, a complete         administrators across the country to ensure that\n          and up-to-date listing of all CBP workstations is       new and existing workstations are added to a\n          not maintained.                                         CBP                    domain to allow for all\n                                                                  workstations to be accounted for in an\n                                                                  appropriate fashion.\nCBP-IT-   We noted that the          has been adjusted to limit   x Develop and implement procedures that will                 X      Medium\n 08-16    active temporary and/or emergency access to 24              appropriately restrict the use of emergency\n          hours after the request. We noted, however, that            or temporary access within         and that\n          the table is still being used and that administrator        requires documented supervisory approval\n          or supervisory approval is not required each time           from the ISSM confirming this access is\n          temporary or emergency access is activated and              needed.\n          that ISSM approval is not required, as required in      x Perform regular recertifications of the\n          DHS policy.                                                 emergency access table to ensure persons\n                                                                      with the capability to request temporary or\n                                                                      emergency access need to remain on the\n                                                                      emergency access table.\nCBP-IT-   We noted there are currently no procedures in           x Develop formal procedures for recertifying                 X      Medium\n 08-18    place for the completion of semi-annual                                  accounts and access to shared\n          recertifications of             accounts. We also           data.\n          notes that a recertification of           accounts      x Perform regular recertifications of\n          is not performed on a semi-annual basis.                          accounts and access to shared data as\n                                                                      required by developed procedures.\nCBP-IT-   We noted that when changes to a user\xe2\x80\x99s access are       We recommend that the review of these logs is                X        Low\n 08-21    performed in         the log of these events is not     implemented on a periodic basis by an\n          regularly reviewed by personnel independent from        independent reviewer and that CBP formalize\n          those individuals that made the changes. We             these procedures in detail for the review of\n          further noted that logs from March 2008 through         security audit logs.\n          July 2008 have not been reviewed by the\n          ISSO/Independent Reviewer.\n\n\n\n\n                                                                      30\n               Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                Appendix B\n                                               Department of Homeland Security\n                                           Information Technology Management Letter\n                                                      September 30, 2008\n\n\n                                                                                                                  New     Repeat     Risk\nNFR #                         Condition                                       Recommendation\n                                                                                                                  Issue    Issue    Rating\nCBP-IT-   We noted that out of 25 dates, 6                     We recommend that CBP follow DHS policy                       X       Low\n 08-26    security violation report reviews were not           and maintain documented evidence of review for\n          provided.                                                                   for the duration outlined\n                                                               in DHS policy.\nCBP-IT-   We noted that authorizations are not being           x Develop and implement procedures to                        X      Medium\n 08-27    maintained for personnel that have administrator         restrict access               administrative\n          access to           . Additionally, we noted in          capabilities, and\n          FY 2008 that access requests for new                 x Require documented authorization requests\n                     administrator accounts are requested          and approval for each person requiring\n          and approved verbally.                                   access to                 administrative\n                                                                   capabilities.\nCBP-IT-   We noted that procedures have been developed to      We recommend that CBP continue efforts to                    X      Medium\n 08-28    require access request forms for any new account     develop a method for tracking and consolidating\n          created for the             However, we noted        access request forms for the             and\n          that access request forms were not available for     continue to implement the procedures developed\n          review for 3 accounts created by                     to control       account creation.\n          administrators during FY 2008.\nCBP-IT-   We noted that procedures are in place for the        We recommend that CBP require managers to                    X      Medium\n 08-29    completion of the termination forms for separating   consistently complete the CBP-241 forms that\n          government employees. We noted, however, that        are required as set forth in CBP directives and\n          the forms are not completed consistently, with       policy.\n          employee and/or supervisor signature missing\n          from seven of the 25 separated employees\n          selected.\n\n\n\n\n                                                                    31\n               Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                    Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                      New     Repeat     Risk\nNFR #                          Condition                                         Recommendation\n                                                                                                                      Issue    Issue    Rating\nCBP-IT-   We noted that                               , the       We recommend that CBP develop procedures to                    X       Low\n 08-34    system used to enforce virus protection policies,       regularly review and monitor the workstations\n          was not installed on all CBP                 on         that have antivirus protection installed and\n                              We noted that as of 8/11/2008,      perform inquiries to determine why identified\n          0.25% of all workstations on                      did   workstations do not have the protection installed\n          not appear on the                In addition to this,   and updated.\n          we could not conclude on whether all CBP\n          workstations have antivirus protection, as those\n          workstations that are not on                     are\n          not communicating with         .\nCBP-IT-   During our technical testing, configuration             Implement the corrective actions for the                      X        High\n 08-35    management exceptions were identified on                recommendations listed within the NFR.\n                                and hosts supporting the\n          and       applications.\nCBP-IT-   During our technical testing, patch management          Implement the corrective actions for the                      X        High\n 08-36    exceptions were identified on hosts supporting the      recommendations listed within the NFR.\n                       and the        and       applications.\nCBP-IT-   We noted that formal procedures do not exist for        We recommend that CBP create formal                  X                 Low\n 08-37                               review process. We           procedures to document the          security\n          further noted that informal procedures are used by      violation review process.\n          the network security specialist to inspect the\n                                 for suspicious activity and to\n          document the review.\nCBP-IT-   We noted that formal procedures do not exist for        We recommend that CBP create formal                  X                 Low\n 08-38    the review process of               audit and           procedures to document the review process for\n                     . We further noted that informal                        audit and                  .\n          procedures are used by the                       to\n          inspect logs for suspicious and unusual activity\n          and to document the review.\nCBP-IT-   We noted that the \xe2\x80\x98special characters\xe2\x80\x99 requirement      We recommend that CBP follow DHS policy              X                 Low\n 08-39    under password complexity is not set.                   and improve password complexity by including\n                                                                  special characters for the application.\n\n\n                                                                       32\n               Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                 Appendix B\n                                               Department of Homeland Security\n                                           Information Technology Management Letter\n                                                      September 30, 2008\n\n\n                                                                                                                     New     Repeat    Risk\nNFR #                         Condition                                        Recommendation\n                                                                                                                     Issue    Issue   Rating\nCBP-IT-   We noted that access authorizations for emergency    x   Adjust CBP-level and       -level policies to       X               Low\n 08-40    and temporary access to      are not approved by         require the ISSM to approve the emergency\n                  .                                                and temporary access authorizations prior to\n                                                                   access being granted, and\n                                                               x   Require documented supervisory approval\n                                                                   from the ISSM each time a user requires\n                                                                   emergency access abilities.\nCBP-IT-   We noted that a Customs Directive was provided       x   Review the current directive, document an          X               Medium\n 08-41    as separation procedures for contractors and the         up-to-date review of this document and\n          directive was dated September 2001. The                  make modifications as needed based on the\n          directive references Treasury policies as source         new operating environment for CBP as part\n          documentation. This directive is out of date as          of the Department of Homeland Security,\n          CBP is no longer a part of the Department of             and\n          Treasury.                                            x   Require the consistent and accurate\n                                                                   completion of the           forms for all\n          Additionally, we noted that             contractor       separating contractors.\n          separation forms are not completed consistently\n          for separating CBP contractors. Specifically, we\n          noted that all forms for selected separated\n          contractors were completed; however, 6 of the\n          selected 25 separated contractors\xe2\x80\x99 forms were\n          completed between one and several months after\n          the individual separated from CBP.\nCBP-IT-   We noted that the most recent business continuity    We recommend that CBP allocate the                     X               Medium\n 08-43    plan testing was incomplete. Specifically, we        appropriate hardware to            to allow for the\n          noted that not all systems were brought online as    system availability to fully test the business\n          required since sufficient hardware was unavailable   continuity plan to ensure that           has the\n          at the recovery facility to fully and properly       capability to support CBP in the event that the\n          perform the continuity testing.                            is rendered unavailable for production.\n\n\n\n\n                                                                    33\n               Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                 Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2008\n\n\n                                                                                                                     New     Repeat    Risk\nNFR #                         Condition                                         Recommendation\n                                                                                                                     Issue    Issue   Rating\nCBP-IT-   We noted that non-disclosure agreements are not        We recommend that CBP enforce DHS\xe2\x80\x99                    X               Low\n 08-44    consistently signed by contractors at CBP.             requirement that a non-disclosure agreement be\n                                                                 signed by all contractors in a moderate and high\n                                                                 risk level position to ensure that they are aware\n                                                                 of their responsibilities in protecting the\n                                                                 confidentiality of DHS and CBP data.\nCBP-IT-   We noted that the parameters for the                   We recommend that CBP properly configure             X                Low\n 08-45                                                                       audit and                       to\n                                                                 capture appropriate data for the\n                                             are not             system.\n          configured to collect appropriate data. We further\n          noted that 3 out of the\n\n                             do not produce any data in the\n          log.\nCBP-IT-   We noted that a total of 10 specific logs were not     We recommend that CBP maintain                       X                Low\n 08-46    available for the following dates: November 12,        audit and               per DHS policy.\n          2007, February 22, 2008, and March 7, 2008. For\n          November 12, 2007, logs were not available for\n\n                                              For February\n          22, 2008, logs were not available for the\n                                              For March 7,\n          2008, logs were not available for\n                                              We further noted\n          that all mainframe audit and\n          that went digital after April 1, 2008 were available\n          for review.\n\n\n\n\n                                                                      34\n               Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                              Appendix B\n                                               Department of Homeland Security\n                                           Information Technology Management Letter\n                                                      September 30, 2008\n\n\n                                                                                                                  New     Repeat    Risk\nNFR #                         Condition                                      Recommendation\n                                                                                                                  Issue    Issue   Rating\nCBP-IT-   We noted that CBP does not currently require         We recommend that CBP require all CBP                X               Low\n 08-47    individuals to sign rules of behavior prior to       personnel (employees and contractors) sign rules\n          gaining access to                            .       of behavior prior to being granted any system\n                                                               access. Additionally, for personnel that already\n                                                               have systems access, CBP should prioritize\n                                                               having these individuals sign rules of behavior\n                                                               to maintain their systems access.\nCBP-IT-   We noted the following weaknesses for the            We recommend that CBP create detailed               X                Low\n 08-48                         procedures below:               procedures that document the review process for\n          \xe2\x80\xa2 Procedures do not define how often the                  security audit logs that includes the\n              security audit logs are reviewed,                documented evidence of review.\n          \xe2\x80\xa2 Procedures do not describe the documented\n              evidence of review process,       Security\n              Violation Log Report that is created by the\n                   ISSO/Independent Reviewer,\n          \xe2\x80\xa2 Procedures do not define the sampling\n              methodology that is used to select       daily\n              security logs, and\n          \xe2\x80\xa2 Procedures were not effective for the entire\n              FY 2008 (October 1, 2007 \xe2\x80\x93 September 30,\n              2008).\nCBP-IT-   We noted that the initial password granted to new    We recommend that CBP update the                    X               Medium\n 08-49         accounts was not in compliance with DHS         Security Administrator Handbook to require a\n          requirements.                                        strong password that is in compliance with DHS\n                                                               and CBP password policies to be set as the\n                                                               initial password for all new     accounts.\n\n\n\n\n                                                                   35\n               Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                               Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                   New     Repeat    Risk\nNFR #                          Condition                                        Recommendation\n                                                                                                                   Issue    Issue   Rating\nCBP-IT-   CBP has no method of tracking completion of             We recommend that CBP develop a method for         X               Low\n 08-50    security awareness training for CBP employees           determining individuals who have and have not\n          and contractors. Individuals from the program           completed security awareness so that they can\n          team responsible for security awareness training        actively work towards 100% compliance with\n          do not have the ability to identify those individuals   the DHS requirement that all individuals with\n          who have not completed security awareness               systems access complete annual security\n          training. Therefore, CBP can not ensure all             awareness training.\n          personnel have completed this training.\nCBP-IT-   We noted through inquiry with the                       We recommend that CBP document their              X                Low\n 08-51    that documented hardware maintenance                    hardware maintenance procedures to ensure a\n          procedures do not exist.                                consistent application of maintenance\n                                                                  methodologies for the         environment.\n\nCBP-IT-   We determined that the CBP workstation policy           We recommend that CBP determine a method          X                Low\n 08-52    for screensavers is not appropriately implemented.      for appropriately applying CBP and DHS policy\n          Specifically, we noted that the configuration of a      requiring automatically-activated, password-\n          password-protected screensaver can be modified          protected screensavers after a period of\n          by the user, allowing that user to remove the           inactivity.\n          password requirement and disable the screensaver\n          completely.\nCBP-IT-   The         Security Administrators Handbook is out     We recommend that a full review of the            X                Low\n 08-53    of date and has inaccurate statements of CBP and        Security Administrators Handbook be performed\n          DHS policies. Specifically, we noted:                   and updates be made to the document to reflect\n          x Out-of-date references to US Customs                  the current operating environment. This review\n               Service,                                           should be fully documented and the Handbook\n          x References to out-of-date Customs (now CBP)           should be updated to include a change log as\n               policies and procedures (1400-05a),                evidence of the updates made.\n          x Requirement that          initial passwords are\n               set to a weak password string, and\n          x Statement that          does not allow special\n               characters in passwords.\n\n\n\n                                                                      36\n               Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                 Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                     New     Repeat    Risk\nNFR #                          Condition                                         Recommendation\n                                                                                                                     Issue    Issue   Rating\nCBP-IT-   We noted the following weaknesses in            access   We recommend that CBP document and                  X              Medium\n 08-54    control procedures:                                      implemented policies and procedures for\n          x A regular (at least semi-annual) recertification       access control.\n              of all        portal accounts is not performed,\n          x Formal procedures are not documented for the\n              creation of         portal accounts, and\n          x          is not configured to disable accounts\n              after 45 days of inactivity on the system.\nCBP-IT-   We noted that 2 accounts created during FY 2008          We recommend that CBP limit the organization       X               Medium\n 08-55    did not have appropriate access authorization            that can create      accounts, administrator\n          forms maintained by the Metro Area                       accounts and require any accounts be created by\n          administrators. We further noted that multiple           a single organization.\n          administrators on the               had accounts\n          created by other groups than the Metro Area\n          Support Team.\n\n\n\n\n                                                                       37\n               Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                         Appendix B\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2008\n\n\n\n\n                Department of Homeland Security\n                 FY2008 Information Technology\n     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n                       \xc2\x84   United States Coast Guard\n\n\n\n\n                                         38\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                            Appendix B\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2008\n\n\n                                                 Department of Homeland Security\n                                                  FY2008 Information Technology\n                                      Notification of Findings and Recommendations - Detail\n                                                     United States Coast Guard\n\n\n                                                                                                                                    New     Repeat    Risk\nNFR #                              Condition                                                  Recommendation\n                                                                                                                                    Issue    Issue   Rating\nCG-IT-   The                                                       has       Update the          as the result of its testing and              X      Low\n08-01    not been updated to reflect the results of testing the         ,    finalize the applicable supporting BCPs.\n         and the Business Continuity Plans (BCPs) for each division\n         have not been finalized.\nCG-IT-   During the first half of the fiscal year, the contract with the     x   Enhance existing Configuration                               X      High\n08-06                    software vendor was still in place, and no              Management/Change Management policies\n         corrective action had taken place related to the prior year             and procedures to explicitly address security\n         recommendation. Therefore, the risk exists that the                     configurations and software patches (e.g.,\n         condition was present for the majority of the fiscal year               those associated with system/application\n         (October 1, 2008 through April 1, 2008). However, due to                \xe2\x80\x9cbuilds\xe2\x80\x9d, service packs, and maintenance\n         the Coast Guard decision to terminate the contract with                 releases) to better ensure compliance with\n         their software vendor and the Coast Guard Headquarters                  DHS requirements and NIST guidance.\n         decision to suspend all                                      )      x   Communicate with and educate affected\n         and                                      the condition did not          staff regarding these improved policies and\n         exist beyond the date of these 2 events.                                procedures.\n                                                                             x   Develop, communicate, and implement\n                                                                                 procedures to periodically review system\n                                                                                 changes and system baselines.\nCG-IT-   We determined that       has not implemented the                    x   Continue with the plans to upgrade the                       X       Low\n08-07    following password requirements:                                                 operating system in order to enforce\n            x Passwords shall contain special characters                         password complexity requirements to meet the\n            x Passwords shall not contain any dictionary word                    DHS Sensitive System Policy Directive\n            x Passwords shall not contain any proper noun or the                 4300A.\n              name of any person, pet, child, or fictional character         x   Continue to implement mitigating controls to\n            x Passwords shall not contain any employee serial                    reduce the risk of unauthorized individuals\n\n                                                                            39\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                        Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n\n                                                                                                                                New     Repeat    Risk\nNFR #                             Condition                                                Recommendation\n                                                                                                                                Issue    Issue   Rating\n             number, Social Security number, birth date, phone                 gaining access to the system.\n             number, or any information that could be readily              x   Educate all employees and contractors of the\n             guessed about the creator of the password                         DHS Sensitive System Policy Directive\n           x Passwords shall not contain any simple pattern of                 4300A password requirements so they can set\n             letters or numbers, such as \xe2\x80\x9cqwerty\xe2\x80\x9d or \xe2\x80\x9cxyz123\xe2\x80\x9d                  their passwords in accordance with policy\n           x Passwords shall not be any word, noun, or name                    despite the systems inability to enforce them.\n             spelled backwards or appended with a single digit or\n             with a two-digit \xe2\x80\x9cyear\xe2\x80\x9d string, such as 98xyz123\n           x Passwords shall not be the same as the User ID\n\n         While compensating controls were implemented to reduce\n         the risk of unauthorized access, they unto themselves do\n         not remove the potential risk from occurring.\nCG-IT-   Coast Guard Headquarters has developed but not yet                Create and implement contractor background                     X       High\n08-10    implemented policies and procedures to require that a             investigation policies and procedures in order to\n         favorably adjudicated background investigation be                 establish requirements and ensure compliance with\n         completed for all contractor personnel.                           the DHS Sensitive System Policy Directive\n                                                                           4300A. This includes the verification that all\n                                                                           contracts issued by the Coast Guard include the\n                                                                           appropriate Coast Guard position sensitivity\n                                                                           designation requirements for contracted personnel.\nCG-IT-   Coast Guard headquarters has not finalized the Role-Based         x Continue efforts to finalize and implement the               X      Medium\n08-14    Training for USCG Information Assurance Professionals                 Role-Based Training for USCG Information\n         Commandant Instruction, which will require all Coast                  Assurance Professionals Commandant\n         Guard members, employees, and contractors with                        Instruction which would require personnel\n         significant IT security responsibilities to receive initial           with significant information security\n         specialized training and annual refresher training thereafter.        responsibilities to complete specialized role-\n         The online                                (        which will         based training on an annual basis.\n         track compliance, will not be implemented until the Role-\n         Based Training is implemented.                                    x   Develop and deploy this specialized role-\n                                                                               based training throughout the Coast Guard.\n                                                                           x   Implement the use of the       in order to\n\n                                                                          40\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                          Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n\n                                                                                                                                  New     Repeat    Risk\nNFR #                             Condition                                                Recommendation\n                                                                                                                                  Issue    Issue   Rating\n                                                                               track and verify specialized role-based training\n                                                                               requirements compliance.\nCG-IT-   Until August 2008, configuration management weaknesses            Through our test work, we determined that the                    X       Low\n08-15    continue to exist on hosts supporting the                         prior year control weakness has been remediated\n         Database.                                                         prior to the fiscal year-end; therefore, no\n                                                                           recommendation is required for this NFR.\n         Note: Due to the nature of this testing, see the tables in the\n         NFR for the specific conditions.\nCG-IT-   Although            has made significant process in               Continue to use the currently implemented                        X       Low\n08-17    remediation, we were unable to verify that             is         mitigating controls for those DHS password\n         consistently remediating the vulnerabilities identified by        requirements that cannot be enforced by the\n         the               scans in order to make it an effective          system. Specifically,             should continue to\n         mitigating control for the           application.                 routinely use the                 scanner and\n                                                                           remediate any identified password weakness\n                                                                           vulnerabilities.\nCG-IT-   Until August 15, 2008 when corrective actions were                Through our test work, we determined that the                    X      Medium\n08-22    successfully implemented, password rules had not been             prior year control weaknesses was remediated\n         appropriately configured for the          application. We         prior to the fiscal year-end, therefore, no\n         noted that:                                                       recommendation is required for this NFR.\n            x        does not require passwords to be a minimum of\n              eight characters\n            x        does not require a combination of alphabetic,\n              numeric, and special characters;\n            x        does not restrict dictionary words;\n            x        does not restrict simple pattern passwords;\n            x        does not restrict dictionary words spelled\n              backwards\n            x        does not restrict the use of proper names\n            x        does not restrict the use of the employee\xe2\x80\x99s user\n              ID\nCG-IT-   Policies and procedures have not been developed and               x   Develop procedures for the periodic review of                X      Medium\n\n\n                                                                          41\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                         Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                                 New     Repeat    Risk\nNFR #                            Condition                                                Recommendation\n                                                                                                                                 Issue    Issue   Rating\n08-23    implemented for the manual periodic review of         audit          the manual        audit logs in accordance with\n         logs. As a result,    audit logs are not periodically                DHS policy.\n         reviewed.\n                                                                          x   Ensure that an entity independent of the\n                                                                              personnel administering the        application\n                                                                              reviews system audit trails on a regular basis\n                                                                              as part of a more comprehensive continuous\n                                                                              monitoring program.\n                                                                          x   Ensure audit log files are configured, retained,\n                                                                              and archived in compliance with DHS policy.\nCG-IT-   x   Procedures have been created and implemented for the         x   Develop and implement procedures to require                  X      Medium\n08-25        quarterly review of developer and analyst roles.                 a periodic review of all        accounts and\n             However the procedures do not include the review of              their associated privileges. These procedures\n             all other        user accounts to ensure that all                should include steps to verify that all\n             terminated individuals no longer have active accounts,           terminated individuals no longer have active\n             that inactive accounts are locked, and that privileges           accounts, that inactive accounts are locked and\n             associated with each individual are still authorized and         that privileges associated with each individual\n             necessary.                                                       are still authorized and necessary.\n         x   529 users have unlocked            database accounts with    x   Continue to reduce the number of tables that\n             access to the                       e. Therefore, the            can be updated to ensure that each user has a\n             number of users with the                      role has           business need to update each table.\n             increased by 141 users from the 388 users noted during\n             FY 2007. Additionally, a mapping                    roles    x   Document a mapping between the\n             within the         application to the tables that can be         flow roles and the associated database tables\n             updated within the           database has not been               that are affected.\n             created. Therefore, we are unable to perform an              x   Continue with plans to complete the\n             analysis of the             roles and the associated                             upgrade and configure the\n             tables that are affected to determine whether access is                password requirements to be in\n             appropriately restricted.                                        compliance with DHS guidance.\n         x   The password configurations for the               and\n                               profiles will not be updated to be\n\n\n                                                                         42\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                         Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                                 New     Repeat    Risk\nNFR #                            Condition                                               Recommendation\n                                                                                                                                 Issue    Issue   Rating\n             in compliance with DHS guidance until after the\n                                                  upgrade. Since no\n             improvements have been made in regards to the\n             password configuration, we determined that the\n             password configurations continue to not meet the\n             following DHS requirement of having a user password\n             contain at least one special character.\n\n\nCG-IT-   Progress was made during FY 2008, but weaknesses still          x   Establish and enforce procedures to ensure                    X      Medium\n08-27    exist. Specifically, we noted that:                                       access request forms are documented,\n            x         access request forms are documented and                approved, and provided to       prior to\n               approved;                                                     establishing a      user account.\n            x        user accounts are revalidated annually; and\n                                                                         x   Continue to develop and implement policy and\n            x         access is revoked in a timely manner for               procedures for re-validating       user\n               employees or contractors that have left Coast Guard or        accounts in order to meet the requirements of\n               are re-assigned to other duties.                              the DHS Sensitive System Policy Directive\n                                                                             4300A.\n                                                                         x    Establish and enforce procedures to ensure\n                                                                                    access is revoked for employees or\n                                                                              contractors who leave the Coast Guard or are\n                                                                              reassigned to other duties in order to meet the\n                                                                              requirements of the DHS Sensitive System\n                                                                              Policy Directive 4300A.\nCG-IT-   Coast Guard\xe2\x80\x99s controls over the scripting process remain        In order for management to assert to any financial                X       High\n08-31    ineffective. Weaknesses were noted in controls over script      statement line items, Coast Guard should:\n         implementation, approvals and testing, as well as active        x Continue to design, document, implement, and\n         script modification. In addition, Coast Guard has not                demonstrate the effectiveness of internal\n         maintained or developed a population of scripts run since            controls associated with the active (current and\n         the inception of       in 2003 nor has it performed a                future) scripts.\n         historical analysis of script impact on the cumulative\n                                                                         x   Identify and evaluate the historical scripts (all\n\n                                                                        43\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                       Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                               New     Repeat    Risk\nNFR #                            Condition                                              Recommendation\n                                                                                                                               Issue    Issue   Rating\n        balances in permanent accounts of the financial statements.        those implemented prior to those identified in\n        Specifically:                                                      recommendation 1 above) to determine the\n          x Coast Guard lacks a formal process to distinguish              financial statement impact on cumulative\n             between the module lead approvers for script approval         balances in permanent accounts; and develop\n             requests;                                                     and maintain supporting procedures related to\n                                                                           each script.\n          x The Procedures for                do not specifically\n             state the testing and documentation requirements for      With respect to procedures already in place, Coast\n             blanket approval scripts and this policy remains in       Guard should:\n             draft form;                                               x Continue to update script policies and\n          x Coast Guard does not monitor scripts run in the               procedures to include clear guidance over\n             database through audit logging and has not developed         module lead approvers, testing and\n             a technical solution to monitor who accesses the             documentation requirements, monitoring/audit\n             database through        Navigator to run scripts or          log reviews, and blanket approval\n             review what scripts are run;                                 requirements\n          x The                             does not consistently      x   Finalize and implement policies and\n             include all testing, approval, and implementation             procedures governing the script change control\n             documentation for all scripts; and                            process including completing records within\n          x Coast Guard has not completed           documentation          the                           for all executed\n             for all scripts executed since their implementation.          scripts and ensuring that all scripts are tested\n                                                                           in an appropriate test environment prior to\n                                                                           being put into production.\n\n                                                                       Regarding the actual scripts themselves, Coast\n                                                                       Guard should:\n                                                                       x Determine the root causes and specific\n                                                                          detailed actions necessary to correct the\n                                                                          conditions that resulted in scripts, for the total\n                                                                          population of scripts run at            in order\n                                                                          to develop system upgrades that would\n                                                                          eliminate the use of some of the scripts.\n\n\n                                                                      44\n               Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                     Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                             New     Repeat    Risk\nNFR #                            Condition                                             Recommendation\n                                                                                                                             Issue    Issue   Rating\n                                                                       x   Continue efforts to complete an in-depth\n                                                                           analysis of active scripts, with the following\n                                                                           objectives:\n                                                                            o All changes to active scripts and new\n                                                                                 scripts should be subject to an\n                                                                                 appropriate software change control\n                                                                                 process to include testing, reviews, and\n                                                                                 approvals.\n                                                                            o All active scripts should be reviewed for\n                                                                                 impact on financial statement balances.\nCG-IT-   Although Coast Guard Headquarters has mandated the use        x   Finalize the procedure documentation and                    X      Medium\n08-32    of       to maintain and track contracted personnel data,         communicate/distribute the procedures\n         procedures surrounding this process have not been formally\n         documented. As a result, we were unable to determine the      x   Continuously monitor controls over          to\n         effectiveness of the controls in place for contractor             verify that contractor data within the system\n         tracking.                                                         remains current and accurate.\nCG-IT-   Coast Guard does not consistently notify system owners        x   Implement an automated process/system that                  X      Medium\n08-33    that individuals are terminating from the Coast Guard so          will notify system owners of terminated\n         that system accounts can be updated timely.                       contractor, military, and civilian personnel.\n                                                                       x   Finalize and implement entity management\n                                                                           policies and procedures for verifying that\n                                                                           terminated user accounts have been\n                                                                           successfully removed.\nCG-IT-   All               are not being appropriately reviewed and    x   Reconfigure the        tool to not allow the                X      Medium\n08-34    approved by management prior to                                   automatic approval of               upon\n         development/deployment. In addition,            developers        creation.\n         and testers are not updating information in the       tool\n         in a timely manner.                                           x   Enforce established change control policies\n                                                                           and procedures by reviewing and approving:\n                                                                           a) all software change requests prior to\n                                                                           developing the changes; b) test results; and c)\n                                                                           all tested developed changes prior to\n\n                                                                      45\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                          Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n\n                                                                                                                                  New     Repeat    Risk\nNFR #                             Condition                                                Recommendation\n                                                                                                                                  Issue    Issue   Rating\n                                                                               deploying the changes into the production\n                                                                               environment.\n                                                                           \xe2\x80\xa2   Ensure that the          development and test\n                                                                               staff adheres to the policies and procedures for\n                                                                               updating software change control information\n                                                                               within the         tool.\nCG-IT-   We noted that control weaknesses still exist within the           \xe2\x80\xa2            : develop, implement, communicate,                  X       High\n08-35    design of             s Configuration Management policies             and enforce procedures regarding how\n         and procedures for          and      as well as the                   changes are to be controlled, documented,\n         operating effectiveness of those controls. Our test work              tracked, and reviewed as these changes\n         over the design of the change controls covered both                   progress through testing and into production.\n         periods of the change control environment; however, our\n         testing of operating effectiveness covered only the period        \xe2\x80\xa2   Coast Guard Headquarters: develop,\n         of start of the fiscal year through March 2008, since there           implement, communicate, and enforce\n         were no changes made to           and     from April                  procedures regarding how change control\n         through the remainder of the fiscal year.                             documentation will be maintained, reviewed,\n                                                                               and validated in accordance with the DHS\n                                                                               Sensitive System Policy Directive 4300A.\nCG-IT-   Configuration management weaknesses continue to exist             \xe2\x80\xa2   Implement the corrective actions for the                     X      Medium\n08-36    on hosts supporting the        and                                    recommendations listed within the NFR.\n         and the underlying\n                                                                           \xe2\x80\xa2   Continue to implement polices and procedures\n         Note: Due to the nature of this testing, see the tables in the        to ensure that the tested and deployed software\n         NFR for the specific conditions.                                      builds include required software patches and\n                                                                               have current, correct, and compliant security\n                                                                               configuration settings.\nCG-IT-   Security patch management weaknesses continue to exist            \xe2\x80\xa2   Implement the corrective actions for the                     X      Medium\n08-37    on hosts supporting the        and                                    recommendations listed within the NFR.\n         and\n                                                                           \xe2\x80\xa2   Continue to implement polices and procedures\n         Note: Due to the nature of this testing, see the tables in the        to ensure that the tested and deployed software\n         NFR for the specific conditions.                                      builds include required software patches and\n                                                                               have current, correct, and compliant security\n\n                                                                          46\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                           Appendix B\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2008\n\n\n                                                                                                                                   New     Repeat    Risk\nNFR #                              Condition                                                 Recommendation\n                                                                                                                                   Issue    Issue   Rating\n                                                                                 configuration settings.\nCG-IT-   Although Coast Guard Headquarters is in the process of              x   Perform initial background investigations and               X      Medium\n08-40    completing background investigations for all civilian                   re-investigations for civilian employees in\n         employees, this has not been completed. Additionally,                   accordance with position sensitivity\n         Coast Guard has set its position sensitivity designations to            designations at no less than the Moderate level\n         Low for the majority of its employees. However, DHS                     as required by DHS directives; and\n         requires position sensitivity designations no less than\n         Moderate which equates to          . Therefore, we                  x   Conduct civilian background re-investigations\n         determined that the conditions noted in prior year NFR CG-              every ten (10) years, as required by DHS\n         IT-07-40 have not been remediated.                                      directives, to ensure that each employee has a\n                                                                                 favorably adjudicated and valid       .\nCG-IT-              has not completed the risk assessment for the             Finalize and implement             Package for the             X       Low\n08-41                and the                                     is still                  in accordance with DHS and NIST\n         in draft form.                                                                            guidance.\nCG-IT-   During prior financial statement audits dating back to FY           x Continue to implement, improve, and                           X       High\n08-42    2003, we noted that implementation and oversight of the                 monitor compliance with DHS, Coast\n         Coast Guard\xe2\x80\x99s information security policy and procedures                Guard, and Federal security policies and\n         was fragmented among the organizations responsible for                  procedures in the areas of Change Controls\n         operating various applications/systems. In FY 2008,                 x Continue to improve and monitor\n         significant improvements have been made in some areas,                  compliance with DHS, Coast Guard, and\n         however, improvements are still warranted at the Coast                  Federal security policies and procedures in\n         Guard data centers/locations that operate and process key               the areas of:\n         Coast Guard financial information. Improvements are                     - Access Controls\n         needed especially in the areas of change control and to a               - Entity-wide Security Planning\n         lesser extent access to data and programs. These two key                - Service Continuity\n         areas were the subject of significant findings identified and           - Segregation of Duties\n         recommendations that were made during the audit.                        - System Software\n                                                                                 - Application Controls\n         As a result of our audit test work and supported by all the\n                                                                             x Develop and implement corrective action\n         IT NFRs issued during the current year, we determined that\n                                                                                 plans to address and remediate the NFRs\n         Coast Guard is non-compliant with the Federal Financial\n                                                                                 issued during the FY 2008 audit. These\n         Management Improvement Act (FFMIA).\n                                                                                 corrective action plans should be developed\n\n\n                                                                            47\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                      Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                              New     Repeat    Risk\nNFR #                            Condition                                            Recommendation\n                                                                                                                              Issue    Issue   Rating\n                                                                          from the perspective of the identified root\n                                                                          cause of the weakness. In addition, the IT\n                                                                          NFRs should not be assessed as individual\n                                                                          issues to fix, but instead, should be assessed\n                                                                          collectively based upon the area where the\n                                                                          weakness was identified. This approach\n                                                                          would enable a corrective action that would\n                                                                          be more holistic in nature, thereby leading to\n                                                                          a more efficient and effective process of\n                                                                          fixing the controls that are not operating\n                                                                          effectively.\nCG-IT-   During our testwork over                 access accounts,    x   Implement and document the            user access    X               Medium\n08-43    we noted that controls over user account authorizations          review procedures to include all         access\n         were not operating effectively, and controls over user           privileges and include supervisors in each\n         account reviews were not operating effectively.                  review.\n                                                                      x   Update procedures to ensure that a\n                                                                          documented and approved access\n                                                                          authorization request is completed for each\n                                                                          individual prior to granting him/her access to\n                                                                          the                 applications or databases.\n\n\n\n\n                                                                     48\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                         Appendix B\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2008\n\n\n\n\n                 Department of Homeland Security\n                  FY2008 Information Technology\n      Notification of Findings and Recommendations - Detail\n\n\n              \xc2\x84   Federal Emergency Management Agency\n\n\n\n\n                                         49\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                 Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n\n                                                Department of Homeland Security\n                                                 FY2008 Information Technology\n                                     Notification of Findings and Recommendations - Detail\n\n                                              Federal Emergency Management Agency\n\n                                                                                                                                           Risk\nNFR #                     Condition                                      Recommendation                        New Issue   Repeat Issue\n                                                                                                                                          Rating\nFEMA-    The          application database instance is    FEMA should implement the corrective actions                          X          High\nIT-08-           and the          application database    listed in the NFR for each technical control\n  02     instance is         . Specifically, servers      weakness identified.\n         were identified with password and auditing\n         configuration weaknesses.\nFEMA-            accounts did not complete a new          Ensure that the OCFO Procedures for Granting                          X         High\nIT-08-   FEMA Form 20-24 in response to the               Access to         are consistently followed by\n  03     recertification process                          continuing to perform and document a review of\n                                                          all        accounts in accordance with DHS\n                                                          policy, including supervisor verification of all\n                                                          access privileges granted through the submission\n                                                          of a new FEMA Form 20-24 by all federal\n                                                          employees and contractors.\nFEMA-    We noted that FEMA has made a                    We recommend that FEMA develop and                                    X          Low\nIT-08-   management decision not to develop               implement policies and procedures documenting\n  06     policies and procedures over the                 the process of adding, deleting, and modifying\n         modification of         account functions                system functions to ensure that the proper\n         until the new        system upgrade occurs.      controls are in place for modifying user account\n         We noted that FEMA has reported in the           privileges.\n         Plan of Action and Milestones that they\n         expect to address corrective action for this\n         weakness in FY 2010. As a result, a\n         formalized process does not exist to guide\n                                           staff in the\n         modification of the system to ensure that\n         appropriate privileges are created,\n\n                                                                       50\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                      Appendix B\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2008\n\n\n                                                                                                                                                Risk\nNFR #                      Condition                                        Recommendation                          New Issue   Repeat Issue\n                                                                                                                                               Rating\n         documented, and approved for a specific\n         function.\nFEMA-    FEMA informed us that the automated               \xe2\x80\xa2    Dedicate resources to complete the review of                         X         Medium\nIT-08-   manager certification process has not yet                        user access for FY 2008 and conduct\n  12     begun. Therefore, the FY 2008                          subsequent annual reviews of                 user\n         recertification has not been completed and             access by performing the management\n         the risk of unauthorized users accessing               certification process in accordance with\n                  was present for a majority of the             FEMA and DHS policies and procedures.\n         fiscal year.                                      \xe2\x80\xa2 Fully implement the policies and procedures in\n                                                                place for the             recertification process\n                                                                and retain auditable records, in accordance\n                                                                with DHS Policy, that provide evidence that\n                                                                recertifications are conducted and completed\n                                                                periodically with timeliness.\nFEMA-    We were informed that terminated                  Ensure that policies and procedures over removal                          X          High\nIT-08-   users are to have the \xe2\x80\x9c                  \xe2\x80\x9d role   of separated user access to          and          are\n  13     applied to their account profile prior to         consistently followed by removing accounts for\n         being removed from the application, which         any separated users immediately upon notification\n         overrides all existing roles and deactivates      of separation according to FEMA, DHS and NIST\n         any existing privileges within the                guidance.\n         application although the individual can still\n         log into the account. However, FEMA\n         Instruction 2200.7 specifies that personnel\n         separating from FEMA shall have all\n         access privileges cancelled and their user\n         account removed. Consequently, although\n         the risk is mitigated by the limited access\n         rights on the accounts with the\n         \xe2\x80\x9c                   privilege, those six\n         accounts demonstrate that the policies and\n         procedures surrounding the\n         terminated user process are not consistently\n         applied and the accounts have not been\n\n                                                                         51\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                                          Risk\nNFR #                    Condition                                      Recommendation                        New Issue   Repeat Issue\n                                                                                                                                         Rating\n         removed. Additionally, four (4) out of the\n         ten (10) accounts remained on the\n         system with an active status.\n\n\nFEMA-    There is no documented evidence to support     We recommend that FEMA establish a process                             X         Medium\nIT-08-   that monitoring of the \xe2\x80\x9c          directory    within existing procedures for retaining\n  17     and sub-directories is occurring.              documented evidence that the \xe2\x80\x9c            directory\n                                                        and sub-directories are being monitored to verify\n                                                        that only authorized changes are implemented into\n                                                        production.\nFEMA-    While FEMA informed us that system             We recommend that FEMA\xe2\x80\x99s process for                                   X         Medium\nIT-08-   software activity is logged, we were unable    monitoring sensitive access and suspicious activity\n  19     to obtain evidence that the audit logs were    on          system software include retention of\n         reviewed on a periodic basis.                  evidence that audit records are proactively\n                                                        reviewed.\nFEMA-    Per inspection of the POA&M, we noted          x Complete on-going efforts to fully establish                         X          High\nIT-08-   that corrective action was initiated by             and implement an alternate processing site for\n  22     FEMA to implement an alternate processing           the         system according to the DHS\n         facility for         but that the alternate         Sensitive System Policy Directive 4300A.\n         site has not been established.\n                                                        x   Ensure that redundant servers are created at\n         Due to the magnitude of the project scope,         the alternate processing site for the\n         implementation of an alternate processing          servers located at the\n         site will not be achieved within twelve (12)                                       during\n         months. Consistent with DHS policy for             implementation of the center as the alternate\n         corrective actions that cannot be                  processing site.\n         implemented within twelve (12) months, a\n         DHS IT Security Program Waiver (number\n                                                        x   Update the existing waiver, as required, in\n         WR-2008-012) was approved by the DHS\n                                                            accordance with effective DHS policy\n                in March 2008 to provide FEMA with\n                                                            regarding waivers and ensure that\n         additional time to plan and develop an\n                                                            compensating controls described in the waiver\n         effective alternate processing site for\n\n                                                                      52\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                              Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2008\n\n\n                                                                                                                                        Risk\nNFR #                    Condition                                      Recommendation                      New Issue   Repeat Issue\n                                                                                                                                       Rating\n                   Per DHS policy, the waiver must          are effective and documentation of their\n         be reviewed, updated, and re-approved by           effectiveness is maintained as auditable\n         the appropriate management officials every         records.\n         six (6) months.\n\n         As required by DHS policy, the approved\n         waiver describes the mitigating efforts,\n         management\xe2\x80\x99s acceptance of the associated\n         residual risk, and a plan for attaining\n         compliance with DHS policy. The waiver\n         also documents the compensating controls\n         to mitigate risk until the alternate\n         processing site is implemented. The\n         compensating controls are to be derived by\n         conducting annual table-top exercises and\n         ensuring that regular backups of critical\n                  data and offsite backup storage are\n         performed. However, a fully successful\n         table top test of          has not been\n         conducted for FY 2008. The waiver\n         granted provides an extension of time to\n         implement corrective action, but the\n         associated risk still remains.\nFEMA-            system administrators conducted ad     We recommend that FEMA develop and                                   X          Low\nIT-08-   hoc backup tape restores for system users      implement procedures to periodically test the\n  23     and performed a full database restore in              backups in accordance with the DHS\n         March 2008 during a server upgrade.            Sensitive System Policy Directive 4300A.\n         However, there was no evidence that\n         quarterly testing was conducted or that\n         FEMA has a formalized process to test\n         backup tapes more frequently than annually.\nFEMA     We noted that the tape restore schedule        We recommend that FEMA periodically test                             X          Low\nIT-08-   requires quarterly testing of backup tapes            backups on a quarterly basis in compliance\n\n                                                                     53\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                 Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n\n                                                                                                                                           Risk\nNFR #                    Condition                                      Recommendation                         New Issue   Repeat Issue\n                                                                                                                                          Rating\n  24     beginning no earlier than FY 2009.             with FEMA and DHS policy.\n\n         Additionally, we determined that the\n                  Contingency Plan was not tested\n         and consequently a full          backup tape\n         restore did not occur in FY 2008. Rather,\n                  system administrators conducted ad\n         hoc backup tape restores at the request of\n         system users during the fiscal year.\n\n\nFEMA-    Due to the magnitude of the project scope to   x   Continue to dedicate resources towards                              X         Medium\nIT-08-   establish a \xe2\x80\x9creal-time\xe2\x80\x9d alternate processing       completing on-going corrective actions to\n  25     site for          FEMA was unable to               implement a \xe2\x80\x9creal-time\xe2\x80\x9d alternate processing\n         implement corrective actions to fully              site for\n         remediate the prior year finding within\n         twelve (12) months. Consistent with DHS        x   Update the existing waiver, as required, in\n         policy for findings that cannot be                 accordance with effective DHS policy\n         remediated within twelve (12) months, a            regarding    waivers    and    ensure    that\n         DHS IT Security Program Waiver (number             compensating controls described in the waiver\n         WR-2008-012) was approved by the DHS               are effective and documentation of their\n         Chief Information Security Officer in              effectiveness is maintained as auditable\n         March 2008 to provide FEMA with                    records.\n         additional time to plan and develop an\n         effective alternate processing site for\n                                                        x   In the event that an updated waiver is denied\n                    Per DHS policy, the waiver must\n                                                            or when the alternate processing site is\n         be reviewed, updated, and re-approved by\n                                                            established, conduct documented annual tests\n         the appropriate management officials every\n                                                            of the            contingency plan that address\n         six (6) months. The waiver identifies that\n                                                            all critical phases of the plan.\n         until the alternate processing site is\n         implemented and full scale testing can be\n         conducted, compensating controls will be       x   Update the          contingency plan based on\n         implemented by conducting annual table-            the lessons learned from table top or full-scale\n\n\n                                                                     54\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                              Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2008\n\n\n                                                                                                                                        Risk\nNFR #                     Condition                                     Recommendation                      New Issue   Repeat Issue\n                                                                                                                                       Rating\n         top exercises.                                     testing results, as necessary.\n\n         Additionally, at the close of our audit test\n         work, we determined that annual table top\n         testing had not been conducted and\n         documented. We determined that the most\n         recently conducted table top review of\n                  contingency plan occurred on July\n         21, 2007 and was conducted for processes,\n         procedures, and scenarios identified in the\n         contingency plan dated June 29, 2007. We\n         noted that the documented results of the\n         July 2007 test stated that FEMA was unable\n         to successfully complete steps that were\n         planned to be conducted during the\n         Recovery Procedure Activation phase due\n         to material weaknesses and deficiencies\n         cited in the Recovery procedures.\nFEMA-    During our FY 2008 follow up test work,        We recommend that FEMA, in accordance with                           X         Medium\nIT-08-   we tested a selection of 40          non-      DHS and FEMA policy, ensure that\n  28     emergency application level         that had   non-emergency application level changes obtain\n         occurred since October 1, 2007. Of the 40      all required approvals prior to implementation\n                tested, we noted the following          into production and that testing documentation is\n         exceptions:                                    appropriately retained.\n              x 29          did not have testing\n                   documentation attached to the\n\n             x    36       did not obtain Technical\n                  Development Laboratory (TDL)\n                  approval; and\n             x    32       did not obtain Technical\n                  Review Committee (TRC)\n                  approval\n\n                                                                      55\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                   Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                                             Risk\nNFR #                     Condition                                      Recommendation                          New Issue   Repeat Issue\n                                                                                                                                            Rating\nFEMA-    We noted that TRC approvals for                 We recommend that FEMA, in accordance with                               X         Medium\nIT-08-   application level emergency changes did not     DHS and FEMA policy, ensure that\n  29     consistently follow FEMA and DHS                application level emergency changes obtain all\n         guidance. Specifically, we determined that      required approvals prior to implementation into\n         of 25 emergency             changes selected    production and that testing documentation is\n         for testing:                                    appropriately retained.\n              x 22 changes did not have\n                   documented TRC approval;\n              x 4 did not gain          approval prior\n                   to implementation into production;\n              x 16 did not gain TDL approval; and\n              x 6 did not have related testing\n                   documentation attached.\nFEMA-    We were referred to Section 2.2.1 of the        We recommend that          document                                      X         Medium\nIT-08-                Administrative Manual as           duties that are incompatible and develop and\n  38     guidance on segregating incompatible            implement policies and procedures for properly\n         duties. Based on our review of the manual,      segregating incompatible duties within the system.\n         we noted that it does not include policies\n         and procedures regarding segregating\n         incompatible duties within            .\n         Additionally, while we noted that system\n         roles and responsibilities have been\n         documented,             duties are\n         incompatible are not documented. As a\n         result, prior year NFR FEMA-IT-07-38 is\n         re-issued.\nFEMA-    During our test work, we noted that a           x   Update and test the                 Contingency                      X         Medium\nIT-08-   planned update and subsequent testing of            Plan, covering all critical phases of the plan in\n  39     the            Contingency Plan was not             accordance with DHS policy. In addition,\n         conducted and that system fail over                 NFIP should conduct a test of the system fail-\n         capability at the alternate processing site         over capability at the alternate processing site.\n         had not been tested. Additionally, the NFIP     x   Revise the Disaster Recovery and Continuity\n\n\n                                                                       56\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                       Appendix B\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2008\n\n\n                                                                                                                                                 Risk\nNFR #                      Condition                                        Recommendation                           New Issue   Repeat Issue\n                                                                                                                                                Rating\n         Disaster Recovery and COOP was not                     of Operation Plan to incorporate the\n         updated to include the                                 and          alternate processing facility and the\n         alternate processing facility or                               critical data files, as well as update the\n         critical data files and restoration priorities.        plans with lessons learned from the testing.\nFEMA-             User Access is not Managed in            x In support of the OCFO Procedures for                      X                       High\nIT-08-   Accordance with Account Management                     Granting Access to              continue to ensure\n  45     Procedures                                             the process for granting or modifying access is\n                                                                monitored and that changes made to user\n                                                                profiles outside of the recertification process\n                                                                are documented and authorized by supervisors,\n                                                                program managers, and COTRs.\n                                                           x Ensure that the               Database User Access\n                                                                Instruction is implemented consistently by\n                                                                requiring that all existing and new\n                                                                users complete a current\n                                                                           User Access Form.\n                                                           x Complete             the       development        and\n                                                                implementation of policies and procedures\n                                                                over periodic recertification of all user access\n                                                                to the                      database, and retain\n                                                                auditable records in accordance with DHS\n                                                                polices and procedures as evidence that\n                                                                recertifications are conducted and completed\n                                                                periodically with timeliness.\nFEMA-    The existing MOU with the Department of           We recommend that FEMA complete the review,                  X                        Low\nIT-08-   Treasury expired in October 2007.                 reauthorization, and re-issuance of a current\n  46                                                       and       between the Treasury           and FEMA.\nFEMA-    Based upon our review, we determined              Complete the reauthorization and reissuance of a             X                        Low\nIT-08-   that the     between FEMA and                     renewed         between FEMA                 and ensure\n  47     expired in July 2007 and has not been             that the       is subsequently reviewed, updated as\n         reauthorized and reissued, as required by         necessary, and reissued timely, as required by DHS\n         DHS policy.                                       policy and/or the terms of the agreement.\n\n\n                                                                         57\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                             Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2008\n\n\n                                                                                                                                       Risk\nNFR #                    Condition                                     Recommendation                      New Issue   Repeat Issue\n                                                                                                                                      Rating\nFEMA-    The vulnerabilities identified from the        We recommend that FEMA implement a process            X                       Medium\nIT-08-          scans are not reported and tracked      to ensure that weaknesses identified during\n  48     via DHS\xe2\x80\x99 POA&M process.                        vulnerability assessment scans of            are\n                                                        formally reported and that associated corrective\n                                                        actions are developed and tracked via DHS\xe2\x80\x99\n                                                        POA&M process.\nFEMA-    We noted that the software was improperly      Action was taken to correct this weakness during      X                       Medium\nIT-08-   configured so that the user\xe2\x80\x99s ability to       the audit period. No further recommendation is\n  49     change the following settings had not been     required.\n         disabled:\n             x                                    for\n                  automatically scanning system\n                  files for threats, known viruses,\n                  and worms on a continuous basis\n                  when Windows is started;\n             x\n                  for automatically scanning Outlook\n                  and/or Outlook Express messages\n                  for viruses.\n             x                                    for\n                  automatically scanning incoming\n                  and     outgoing    Lotus    Notes\n                  messages; and\n             x                                    for\n                  scanning all incoming and\n                  outgoing e-mail messages other\n                  than Outlook and/or Outlook\n                  Express.\nFEMA-    We performed test work over audit              We recommend that FEMA, in accordance with            X                       Medium\nIT-08-   logging on the        application and          FEMA and DHS policy, continue to implement\n  50     Oracle database. Based upon inquiry and        procedures over audit logging processes for the\n         inspection of documentation, we                        application and database and retain\n         determined that on a daily basis, an           evidence that audit records are proactively\n\n                                                                     58\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n\n                                                                                                                                          Risk\nNFR #                     Condition                                    Recommendation                         New Issue   Repeat Issue\n                                                                                                                                         Rating\n         automated report is generated and emailed     reviewed.       Specifically, the evidence should\n         to the Database Administrators (DBA)          provide a record of review that at a minimum notes\n         and FSS personnel for review. However,        the identity of the individual that reviewed the log\n         while this report is distributed for review   (e.g. initials), the date of review, and follow up\n         by the DBAs and FSS staff, no evidence        actions taken, if required.\n         that the reviews are conducted is retained.\n\n         Additionally, we noted that while FEMA\n         Instruction 2200.7,         User Access\n         Instruction, assigns the responsibility of\n         conducting this weekly review to FSS,\n         FEMA personnel do not formally\n         document that the review is conducted.\nFEMA-    We noted that the Standard Operating          We recommend that FEMA revise existing                    X                        High\nIT-08-   Procedure (SOP) does not                      procedures for           audit logging to include a\n  51     comprehensively address requirements of       review of highly-privileged and administrator-level\n         FEMA Directive 140-1, FEMA                    activities as required by FEMA and DHS policy\n         Information Technology Security Policy.       and ensure implementation of all requirements,\n         Specifically, the SOP does not require the    including retention of evidence of reviews of audit\n         monitoring of modifications to account        logs.\n         tables and other highly-privileged and\n         administrator-level activities.\n\n         Additionally, we noted that the SOP\n         requires database administrators to initial\n         and retain printed logs as evidence that\n         reviews are conducted as required.\n         However, FEMA informed us that this\n         portion of the SOP was not being\n         performed.\nFEMA-    Finalization and implementation of the        We recommend that FEMA finalize and                       X                       Medium\nIT-08-                                       SOP -     implement procedures that define the timeframe in\n  52     FEMA                                          which security patches should be installed.\n\n                                                                     59\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n\n                                                                                                                                          Risk\nNFR #                     Condition                                      Recommendation                       New Issue   Repeat Issue\n                                                                                                                                         Rating\n                                which specifies the\n         timeframe for installing security patches,\n         has been delayed due to organizational\n         changes.\nFEMA-    Upon inspection of the           SSP that is a                                                          X                       Medium\nIT-08-   part of the       package; we noted that the     We recommend that FEMA ensure that\n  53     server and host names listed in Appendix B       SSP is updated in accordance with DHS policy so\n         of the SSP are not accurate. Specifically,       that current system components and system owners\n         the listing of system components is not          are comprehensively documented in the plan.\n         comprehensive and portions of information,\n         such as system owners, are not up to date.\nFEMA-    In FY 2008, we determined that NFIP had          We recommend that NFIP ensure that testing             X                       Medium\nIT-08-   documented and implemented the                   documentation    for             changes   is\n  54                                                  .   documented and retained on file in accordance\n         During the audit, we determined that two         with DHS policy.\n         (2)           changes had been implemented\n         since October 1, 2007. We obtained change\n         documentation for both changes and noted\n         that testing documentation was not retained\n         for these changes.\nFEMA-    During our FY 2008 test work, we noted           We recommend that NFIP ensure that testing of all      X                       Medium\nIT-08-   that NFIP documented and implemented the         changes are documented and retained on file in\n  55                                                      accordance with DHS and NFIP requirements.\n                                  Control     Unit\n         Procedures that provide guidance on\n         implementing changes into the production\n         environment. We selected for testing eight\n         (8)           changes that had been\n         implemented since October 1, 2007. Of the\n         eight (8) tested, we identified that test\n         results were not available for one (1)\n         change.\n\n\n\n                                                                       60\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                         Appendix B\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2008\n\n\n\n\n                Department of Homeland Security\n                 FY2008 Information Technology\n     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n                                 \xc2\x84   Consolidated\n\n\n\n\n                                         61\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                   Appendix B\n                                               Department of Homeland Security\n                                           Information Technology Management Letter\n                                                      September 30, 2008\n\n\n                                              Department of Homeland Security\n                                               FY2008 Information Technology\n                                   Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                                                Consolidated\n\n                                                                                                                             Repeat        Risk\n NFR #                         Condition                                      Recommendation                     New Issue\n                                                                                                                              Issue       Rating\nCONS-IT-   Controls have not been implemented to detect and       x    Establish controls to detect and                         X         Medium\n 08-07     identify the actions taken with                             identify the actions taken with the\n                             by non-database administration                                                 by\n           personnel                                                    non-database administration\n                                                                        personnel.\n           Audit logs are only reviewed on an as needed basis     x     Ensure that:\n           by database administrators or personnel with              o The            database supporting\n           database administrator access.                                       is configured to capture all\n                                                                          access attempts;\n                                                                     o An individual independent of the\n                                                                          personnel administering         is\n                                                                          tasked with the responsibility for\n                                                                          reviewing system audit trails on a\n                                                                          regular basis.\n                                                                     o The review of audit logs is\n                                                                          documented to provide audit\n                                                                          evidence of review.\n                                                                     o The audit log files are retained\n                                                                          and archived in accordance with\n                                                                          DHS policy.\nCONS-IT-   We determined that Treasury has not sufficiently       We recommend that the DHS OFM                                X          Medium\n 08-11     documented evidence of the completion of               independently verify, on an ongoing\n           application-level change management steps using the    basis, that Treasury performs adequate\n           SCR process.                                           integration testing for all        changes\n                                                                  and maintains documentation of testing as\n\n\n                                                                      62\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                           Appendix B\n                                              Department of Homeland Security\n                                          Information Technology Management Letter\n                                                     September 30, 2008\n\n\n                                                                                                                     Repeat         Risk\n NFR #                        Condition                                 Recommendation                   New Issue\n                                                                                                                      Issue        Rating\n                                                             audit evidence.\nCONS-IT-   We noted that emergency changes procedures have    x Maintain supporting documentation                      X            Low\n 08-12     been documented. However, we determined that            for each               change. At a\n           OFM and Treasury did not properly document the          minimum, the following\n           necessary approvals and testing for one of six          documentation should be maintained\n           selected             changes.                           for each change: change request,\n                                                                   change request approval, evidence\n                                                                   of testing, final approval.\n                                                              x Independently verify that Treasury\n                                                                   is following the change control\n                                                                   process as required and maintaining\n                                                                   supporting documentation for each\n                                                                   change.\n\n\n\n\n                                                               63\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                         Appendix B\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2008\n\n\n\n\n                Department of Homeland Security\n                 FY2008 Information Technology\n     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n                                     \xc2\x84   OCIO\n\n\n\n\n                                         64\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                            Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2008\n\n\n                                               Department of Homeland Security\n                                                FY2008 Information Technology\n                                    Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                                                  OCIO\n\n                                                                                                                        Repeat      Risk\n NFR #                          Condition                                    Recommendation                 New Issue\n                                                                                                                         Issue     Rating\nOCIO-IT-   There is no formal agreement in place between the      We recommend that the DHS OCIO               X                   Medium\n 08-01     DHS and the United States Navy (Navy) at               ensure that DHS and the Navy document\n                         outlining DHS\xe2\x80\x99 and the Navy\xe2\x80\x99s            an Memorandum of\n           responsibility for the services provided by the Navy   Agreement/Memorandum of\n           at                                                     Understanding (MOA/MOU) outlining\n                                                                  CBP\xe2\x80\x99s specific requirements for their\n                                                                  business continuity facility and ensure\n                                                                  that the agreement is complete, signed\n                                                                  and up-to-date.\nOCIO-IT-   Through inquiry with OCIO personnel, we                We recommend that the DHS OCIO               X                   Medium\n 08-02     determined that the DHS       has not been             finalize          .\n           finalized.\n\n\n\n\n                                                                    65\n                Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                         Appendix B\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2008\n\n\n\n\n                 Department of Homeland Security\n                  FY2008 Information Technology\n      Notification of Findings and Recommendations - Detail\n\n          \xc2\x84   Federal Law Enforcement and Training Center\n\n\n\n\n                                         66\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                 Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                               Department of Homeland Security\n                                                FY2008 Information Technology\n                                    Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                         Federal Law Enforcement and Training Center\n\n                                                                                                                                           Risk\nNFR #                       Condition                                     Recommendation                       New Issue   Repeat Issue\n                                                                                                                                          Rating\nFLETC-    FLETC finalized and approved the Financial       We recommend that FLETC Ensure that access                           X         Medium\n IT-08-   Management System Configuration                  to the            program libraries is limited to\n   01     Management Standard Operating Procedures,        only the Administrators group.\n          which detail testing procedures. This prior\n          year condition will be reissued as the\n          weakness has been in place for the majority of\n          the fiscal year.\n\n          The access group, \xe2\x80\x9c                     \xe2\x80\x9d has\n          modify, read, execute, and write access to the\n                       application program libraries. We\n          determined that this gives all FLETC domain\n          level users modify read, execute, and write\n          access to the             application program\n          libraries.\n\n\n\n\n                                                                    67\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                   Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n\n                                                                                                                                             Risk\nNFR #                       Condition                                       Recommendation                       New Issue   Repeat Issue\n                                                                                                                                            Rating\nFLETC-    FLETC finalized and approved the Financial         x   Continue with the projected plan for                             X         Medium\n IT-08-   Management System Configuration                        decommissioning the\n   02     Management Standard Operating Procedures,              application.    Develop and implement\n          which detail testing procedures. This prior            policies and procedures over the\n          year condition will be reissued as the                 configuration management process for\n          weakness has been in place for the majority of         Prism application level changes;\n          the fiscal year.\n                                                             x   Ensure that access to the\n          Due to the decommissioning of the                              program libraries is limited to only\n          application, we learned that FLETC has not             the Administrators group.\n          developed policies and procedures for\n                        Desktop bug fixes and\n          enhancements. This prior year condition will\n          be reissued as the weakness has been in place\n          for the majority of the fiscal year.\n\n          All FLETC domain level users\n          inappropriately have modify, read, execute,\n          and write access to the\n\nFLETC-    The installation of             system             We      recommend       that    FLETC,      upon                     X         Medium\n IT-08-   software is not currently logged or reviewed       implementation of the        system, enable audit\n   03     by FLETC management.                               logging over the installation of\n                                                             system software and ensure that logs are\n                                                             maintained and proactively reviewed by\n                                                             management.\nFLETC-    The SDLC for               is currently in draft   1 Finalize and implement a SDLC                                      X         Medium\n IT-08-   form.                                                  methodology guide for               , FLETC\n   04                                                            Directive and FLETC Manual. Ensure that\n                                                                 security planning has been incorporated\n                                                                 throughout the life cycle;\n\n                                                             2   Ensure that the SDLC methodology is\n\n                                                                      68\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                       Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                                                 Risk\nNFR #                        Condition                                       Recommendation                          New Issue   Repeat Issue\n                                                                                                                                                Rating\n                                                                  promulgated to all personnel involved in the\n                                                                  design, development, and implementation\n                                                                  process of the SDLC methodology.\nFLETC-    We determined that FLETC has begun to               Consistently apply the new CIO Backup SOP                               X         Medium\n IT-08-   implement corrective actions to address the         and periodically test the            server level\n   05     prior year finding; however we learned that         and        database backups at least annually in\n          FLETC                 server level and              compliance with the DHS Sensitive System\n          database backups are not periodically tested.       Policy Directive 4300A.\n          Additionally, we noted that procedures or a\n          testing schedule are not in place for\n                              level and         database\n          backups.\nFLETC-    The              contingency plan has not           x   Perform corrective action over the                                  X         Medium\n IT-08-   been fully tested. We determine that the                            Contingency Plan test results\n   06     recovery and resumption procedures were not             and update the plan accordingly.\n          tested during the table-top test of the             x Perform a test over the\n                       contingency plan.                          Contingency Plan, covering all critical\n                                                                  phases of the plan, on an annual basis.\nFLETC-    The FLETC Computer Security Operations              No recommendation will be offered as the                                X         Medium\n IT-08-   Center and Computer Security Incident               condition was mitigated during the fiscal year\n   07     Response Capability SOP, is currently in draft\n          form. Additionally, we noted that incidents\n          are not tracked from inception to resolution in\n          an incident response management system.\nFLETC-    We noted that incompatible duties over              Continue with the         projected   plan       for                    X          Low\n IT-08-                          have been identified and     decommissioning the\n   08     that the                         administrator is   application.\n          no longer a procurement approver. However,\n          policies and procedures have not been\n          developed to segregate incompatible duties.\n\n\n\n\n                                                                       69\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                      Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n\n                                                                                                                                                Risk\nNFR #                        Condition                                        Recommendation                        New Issue   Repeat Issue\n                                                                                                                                               Rating\nFLETC-    We determined that the procedures for granting       x   Document access procedures within the                             X          Low\n IT-08-   access to the                    had not been                                          , including the\n   09     documented and no user authorization form is             use of a user authorization form;\n          used and maintained for access requests.             x   Update the                                  to\n                                                                   include access granting procedures as well\n          We noted that no documented procedures on re-            as re-entry procedures, and;\n          entry into the facility after an emergency exist.\n                                                               x   Perform training for                     staff\n          FLETC also advised that all personnel on the\n                                                                   and regular visitors over emergency\n                              access listing and regular\n                                                                   procedures pertaining, but not limited to\n          visitors to the                  are provided fire\n                                                                   fire, water, and alarm procedures.\n          suppression training. However, no supporting\n                                                                   Additionally, formalize this training by\n          documentation was provided to support this\n                                                                   retaining documentation that all staff has\n          effort.\n                                                                   completed the training.\n\n\n\n\n                                                                        70\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                              Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n\n                                                                                                                                        Risk\nNFR #                        Condition                                   Recommendation                     New Issue   Repeat Issue\n                                                                                                                                       Rating\nFLETC-    We found that FLETC Manual (FM) 4300:            x   Continue with their projected plan for                        X         Medium\n IT-08-   Information Technology System Security               decommissioning the\n   10     Program and Policy, which establishes the            application.    Additionally, develop and\n          policies to be followed when an employee or          implement      procedures    over   access\n          contractor is separated or terminated, is            authorizations for     ;\n          currently in draft form. Additionally,\n                                 does not require          x   Develop and implement procedures to\n          passwords to contain a combination of upper          periodically review the list of user\n          and lower case letters and special characters.       accounts;\n\n                                                           x   Finalized and implement FM 4300:\n                                                               Information Technology System Security\n                                                               Program and Policy, requiring the\n                                                               immediate notification of terminated or\n                                                               transferred users with FLETC IT accounts;\n\n                                                           x   Ensure that the            application to\n                                                               requires a password to be a minimum of\n                                                               eight characters in length and contain a\n                                                               combination of alphabetic, numeric, and\n                                                               special characters to be in compliance\n                                                               with the DHS Sensitive System Policy\n                                                               Directive 4300A.\nFLETC-    We determined that the FLETC Directive           No recommendation will be offered as the                          X          Low\n IT-08-   (FD) 4320: IT System Security Awareness          condition was mitigated during the fiscal year\n   11     and Training is in draft form.\n\n\n\n\n                                                                    71\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                  Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2008\n\n\n                                                                                                                                            Risk\nNFR #                       Condition                                      Recommendation                       New Issue   Repeat Issue\n                                                                                                                                           Rating\nFLETC-    We determined that FLETC is in the process        We recommend that FLETC finalize and update                          X          Low\n IT-08-   of refining the FD/FM 4300 to be in               FD/FM 4300 based on the most recent version\n   12     accordance with the DHS Sensitive System          of the DHS Sensitive System Policy Directive\n          Policy Directive 4300A.                           4300A and implement the policy, which\n                                                            provides policies and procedures over the\n                                                            authorization and use of mobile code\n                                                            technologies.\nFLETC-    We determined that FLETC has developed            Finalize and implement \xe2\x80\x9cFM 4300: Information                         X          Low\n IT-08-   policies and procedures to proactively monitor    Technology System Security Program and\n   13     sensitive access to system software utilities     Policy,\xe2\x80\x9d which provides policies and procedures\n          for              in the \xe2\x80\x9cFM 4300: Information     to proactively monitor sensitive access to system\n          Technology System Security Program and            software utilities for           .\n          Policy.\xe2\x80\x9d However, we noted that this policy is\n          in draft form.\nFLETC-    We determined that FLETC has developed            Finalize and implement \xe2\x80\x9cFM 4300: Information                         X          Low\n IT-08-   policies for restricting access to                Technology System Security Program and\n   14     system software in the \xe2\x80\x9cFM 4300: Information      Policy,\xe2\x80\x9d which provides policies for restricting\n          Technology System Security Program and            access to           system software;\n          Policy.\xe2\x80\x9d However, we noted that this policy is\n          in draft form.\nFLETC-    We noted that FLETC has developed policies        x   Finalize and implement the \xe2\x80\x9cFM 4300:                             X          Low\n IT-08-   for the segregation of duties in the, \xe2\x80\x9cFM 4300:       Information Technology System Security\n   15     Information Technology System Security                Program and Policy,\xe2\x80\x9d which provides\n          Program and Policy.\xe2\x80\x9d However, we noted that           policies for segregation of duties in\n          the policy is currently in draft form.                             .\n\n\n\n\n                                                                     72\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                 Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                                           Risk\nNFR #                       Condition                                      Recommendation                      New Issue   Repeat Issue\n                                                                                                                                          Rating\nFLETC-    We noted that FLETC has developed polices for      x   Continue to finalize and implement the \xe2\x80\x9cFM                     X         Medium\n IT-08-   the use of Voice Over Internet Protocol (VOIP)         4300: Information Technology System\n   16     technologies,      \xe2\x80\x9cFM   4300:      Information        Security Program and Policy,\xe2\x80\x9d which\n          Technology System Security Program and                 provides policies for the use of VoIP\n          Policy.\xe2\x80\x9d However, we noted that the SOP is             technologies;\n          currently in draft form.                           x   Conduct a security inspection of the\n                                                                      VoIP installations by completing the\n          Additionally, w learned that the security              FLETC VoIP Security Checklist.\n          inspections have not been applied to all VoIP\n          networks but is planned with the new\n\n          scheduled in 2008.\nFLETC-    During our FY 2008 review, we determined that      No recommendation will be offered since the                        X         Medium\n IT-08-   the FLETC has established a process where          condition was mitigated during the fiscal year.\n   17     background checks and periodic reinvestigations\n          for on all new and existing contractors are\n          performed in a timely manner and that\n          supporting documentation be maintained.\n          However, we noted a weakness in that two\n          outstanding users still had access to the FLETC\n          network. As a result, the FLETC responded\n          immediately and removed both users\xe2\x80\x99 access.\n          However, since the risk was present the majority\n          of the fiscal year, this NFR will be reissued\n          without any recommendations\n\n\n\n\n                                                                      73\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                                          Risk\nNFR #                       Condition                                      Recommendation                     New Issue   Repeat Issue\n                                                                                                                                         Rating\nFLETC-    We noted that FLETC has developed polices for      x   Finalize and implement \xe2\x80\x9cFM 4300:                              X          Low\n IT-08-   the review of                        audit logs,       Information Technology System Security\n   18     \xe2\x80\x9cFM 4300: Information Technology System                Program and Policy,\xe2\x80\x9d which provides\n          Security Program and Policy.\xe2\x80\x9d However, we              policies for the review of audit logs;\n          noted that the SOP is currently in draft form.\n          Additionally, we noted that FLETC has              x   Continue with the decommissioning plan of\n          continued with the decommissioning of the              the                    application.\n                                 application; however it\n          has not been completed.\nFLETC-    In FY 2008, FLETC stated that no progress has      We recommend that FLETC configure the                             X          Low\n IT-08-   been made on this weakness.             FLETC      FLETC domain level inactivity threshold of\n   20     management recommended setting policy to 5         the password protected screensaver to five (5)\n          minutes for all users and then to make             minutes to be in compliance with the DHS\n          exceptions as needed for trainers who need it.     Sensitive System Policy Directive 4300A.\n          FLETC management has submitted an\n          exception waiver to DHS to waiver from the\n          DHS Sensitive System Policy Directive 4300A.\nFLETC-    In FY 2008, we noted that FLETC is in the          We recommend that FLETC finalize and                              X          Low\n IT-08-   process of finalizing and implementing FM          implement FM 4300: Information Technology\n   21     4300: Information Technology System Security       System Security Program and Policy, and\n          Program and Policy. Therefore, since the           promulgate to all necessary users.\n          recommendation has not been fully addressed,\n          NFR FLETC-IT-07-21 will be re-issued.\n\n\n\n\n                                                                      74\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                      Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n\n                                                                                                                                                Risk\nNFR #                        Condition                                        Recommendation                        New Issue   Repeat Issue\n                                                                                                                                               Rating\nFLETC-    FLETC has does not capture and maintain user         Continue with the         projected    plan   for                     X          Low\n IT-08-   access violations in                                 decommissioning the\n   22                                                          application.\n          We determined that FLETC has established a\n          process which requires that all\n                   users will only be granted access once\n          the user access form is appropriately completed\n          and subsequently approved by a supervising\n          authority. Since this improvement was not in\n          place for the majority of the fiscal year, the\n          associated weakness will be reissued with no\n          recommendation.\n\n          We also determined that FLETC has made\n          progress over the usage of prior passwords. The\n          new process follows the DHS standard of eight\n          iterations. Since this improvement was not in\n          place for the majority of the fiscal year, the\n          associated weakness will be reissued with no\n          recommendation.\nFLETC-    In FY 2008, we learned that FLETC has not            x   Perform a recertification of all                                  X          Low\n IT-08-   validated all users for                       .                    user access and validating the\n   23     Additionally, FLETC has removed users that no            existing                        user access of\n          longer have access, but, this process is not being       individuals who stated they still need\n          performed consistently. Therefore, since the                                    access;\n          finding has not been fully addressed, the NFR        x   Continue     to      consistently     remove\n          will be re-issued.                                                              user access that is no\n                                                                   longer needed.\n\n\n\n\n                                                                        75\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                               Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2008\n\n\n                                                                                                                                         Risk\nNFR #                       Condition                                     Recommendation                     New Issue   Repeat Issue\n                                                                                                                                        Rating\nFLETC-    FLETC provided the FLETC                          We recommend that the FLETC ensure that                           X          Low\n IT-08-                                                     several     updated      copies     of    the\n   24                             , dated June 18, 2008.                                          Desktop\n          However, the contingency plan did not             Contingency Plan is located at the Artesia,\n          contain evidence to support that the document     NM site for use by contingency staff.\n          is stored offsite.\nFLETC-    During the FY 08 follow-up, we received the       As FLETC has effectively implemented the new                      X          Low\n IT-08-   finalized SOP 4203 IT Systems Maintenance         policies  effective     April   2008,     no\n   25     Management, effective as of April 29, 2008, and   recommendation will be offered.\n          4204 Anti-Virus for Servers, effective as of\n          April 29, 2008. This NFR will be reissued with\n          no recommendation since the condition has\n          existed for the majority of the fiscal year.\nFLETC-    During technical testing, configuration           x   Implement the corrective actions noted in                     X         Medium\n IT-08-   management weaknesses were identified on              the findings.\n   26     hosts and databases supporting the                x   Perform periodic scans of the FLETC\n                                                                network environment, including the\n                                                                financial processing environment, for the\n                                                                identification of vulnerabilities, in\n                                                                accordance with NIST Special Publication\n                                                                (SP) 800-42.\n                                                            x   Implement corrective actions to mitigate\n                                                                the risks associated with any\n                                                                vulnerabilities identified during periodic\n                                                                scans.\n\n\n\n\n                                                                     76\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                                          Risk\nNFR #                       Condition                                       Recommendation                    New Issue   Repeat Issue\n                                                                                                                                         Rating\nFLETC-    During technical testing, patch management         x   Implement the corrective actions noted in                     X         Medium\n IT-08-   weaknesses were identified on hosts and                the findings.\n   27     databases supporting the                           x Perform periodic scans of the FLETC\n                                                         .       network environment, including the\n          The fact that these vendor supplied patches            financial processing environment, for the\n          have not been applied in a timely manner               identification of vulnerabilities, in\n          could allow a remote attacker to gain                  accordance with NIST SP 800-42.\n          unauthorized access on the host or database.\n                                                             x Implement corrective actions to mitigate\n                                                                 the risks associated with any\n                                                                 vulnerabilities identified during periodic\n                                                                 scans.\nFLETC-    In FY 2008, we learned that                        Continue with the projected plan for                              X         Medium\n IT-08-              is still in production; however, no     decommissioning the\n   29     backups are being tested. FLETC management\n          stated       that\n          decommissioning is planned for the first quarter\n          of FY 08, however at the time of the audit, has\n          not been completed.\nFLETC-    During FY 2008 testing of controls after           No recommendation will be offered since the         X                       Medium\n IT-08-                  conversion, we determined that      weakness was remediated upon notification.\n   30     four (4) support contractors and an additional\n          user account used by the support contractor\n          called\n          access privileges within             . Based on\n          notification of this weakness, FLETC\n          management responded by removing the access\n          as of September 24, 2008. Therefore, this\n          finding will be issued with no recommendation.\n\n\n\n\n                                                                      77\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                    Appendix B\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2008\n\n\n                                                                                                                                              Risk\nNFR #                         Condition                                       Recommendation                      New Issue   Repeat Issue\n                                                                                                                                             Rating\nFLETC-    During FY 2008, we noted that the                     We recommend that application system                 X                       Medium\n IT-08-   application will allow \xe2\x80\x9c3 unsuccessful attempts\xe2\x80\x9d      administrators review security and system-\n   31     before the user will be locked out of the             related event logs on a periodic basis.\n          application. The application will track these\n          security violations into an audit log; however,\n          the FLETC does not perform a periodic review\n          of the log.\nFLETC-    During FY 2008 testing of controls after              x   Evaluate the access rights for all roles         X                       Medium\n IT-08-               \xe2\x80\x99s conversion, we determined that             within              and separate the duties\n   32     the segregation of duties controls were not               for the creation and payment of vouchers.\n          effective. Specifically, we found that the            x   Develop a process to ensure the segregation\n                         \xe2\x80\x99 role has the ability to create and       of duties between the Accountant roles is\n          approve payment vouchers within                           maintained.\n\n\n\n\n                                                                         78\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                         Appendix B\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2008\n\n\n\n\n                Department of Homeland Security\n                 FY2008 Information Technology\n     Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n               \xc2\x84   Transportation Security Administration\n\n\n\n\n                                         79\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                      Appendix B\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2008\n\n\n                                                 Department of Homeland Security\n                                                  FY2008 Information Technology\n                                      Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                                Transportation Security Administration\n\n\n                                                                                                                                      Repeat    Risk\nNFR #                            Condition                                            Recommendation                      New Issue\n                                                                                                                                       Issue   Rating\nTSA-IT-   The COOP has not been updated to reflect the results        We recommend that TSA monitor                                      X      Low\n08-01     of testing and the division BCPs have not been              efforts to update the COOP as the result of its\n          finalized.                                                  testing and finalize the applicable supporting\n                                                                      BCPs.\nTSA-IT-   During the first half of the year, the contract with the    We recommend that TSA work with the DHS                           X      High\n08-03                  and             software vendor was still      Chief Information Officer to ensure that Coast\n          in place and no corrective action taken had taken           Guard Headquarters completes, in a timely\n          place related to the prior year recommendation.             manner, the planned corrective actions of the\n          Therefore, the risk of the preexisting condition was        following:\n          present for the majority of the year (October 1, 2007       x Coast Guard Headquarters enhance their\n          through April 1, 2008).                                          existing Configuration Management/Change\n                                                                           Management policies and procedures to\n          However due to the Coast Guard decision to terminate             explicitly address security configurations\n          the contract with their software vendor, and the Coast           and software patches (e.g., those associated\n          Guard Headquarters decision to suspend all SPRs and              with system/application \xe2\x80\x9cbuilds\xe2\x80\x9d, service\n          SCRs until the instructions are lifted this condition did        packs, and maintenance releases) to better\n          not exist beyond the date of these two events.                   ensure compliance with DHS requirements\n                                                                           and NIST guidance.\n                                                                      x Coast Guard Headquarters and the\n                                                                           applicable Coast Guard locations\n                                                                           communicate with and educate affected staff\n                                                                           regarding these improved policies and\n                                                                           procedures.\n                                                                      x Coast Guard Headquarters develop,\n\n                                                                        80\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                        Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                                        Repeat    Risk\nNFR #                           Condition                                            Recommendation                         New Issue\n                                                                                                                                         Issue   Rating\n                                                                        communicate, and implement procedures to\n                                                                        periodically review system changes and\n                                                                        system baselines.\nTSA-IT-   Coast Guard Headquarters has developed but not yet        We recommend that TSA work with the DHS                               X       High\n08-05     implemented policies or procedures to require that a      Chief Information Officer to ensure that Coast\n          favorably adjudicated background investigation be         Guard Headquarters completes, in a timely\n          completed for all contractor personnel.                   manner, the planned corrective actions to create\n                                                                    and implement contractor background\n                                                                    investigation policies and procedures in order to\n                                                                    establish requirements and ensure compliance with\n                                                                    the DHS Sensitive System Policy Directive\n                                                                    4300A. This includes the verification that all\n                                                                    contracts issued by the Coast Guard include the\n                                                                    appropriate Coast Guard position sensitivity\n                                                                    designation requirements for contracted personnel.\nTSA-IT-   The Role-Based Training for USCG Information              We recommend that TSA monitor Coast Guard                             X      Medium\n08-06     Assurance Professionals Commandant Instruction is         Headquarters\xe2\x80\x99 efforts to complete planned\n          still in draft form and has not been fully implemented.   corrective actions to:\n                                                                    x Continue efforts to finalize and implement the\n                                                                        Role-Based Training for USCG Information\n                                                                        Assurance Professionals Commandant\n                                                                        Instruction which would require personnel\n                                                                        with significant information security\n                                                                        responsibilities to complete specialized role-\n                                                                        based training on an annual basis.\n                                                                    x    Develop and deploy this specialized role-\n                                                                         based training throughout the Coast Guard.\n                                                                    x    Implement the use of the        in order to\n                                                                         track and verify specialized role-based training\n                                                                         requirements compliance.\n\n\n\n                                                                        81\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                          Appendix B\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2008\n\n\n                                                                                                                                          Repeat    Risk\nNFR #                            Condition                                             Recommendation                         New Issue\n                                                                                                                                           Issue   Rating\nTSA-IT-              is in the process of updating and finalizing      We recommend that TSA monitor that                is                  X      Low\n08-13     the        Package for            Suite. The                 taking corrective action to finalize and implement\n          comprehensive                      will include the major    the       Package for the        Suite in accordance\n          subsystems                                                   with DHS and NIST guidance.\n                        and financial supporting applications\n                                         and will be used instead of\n          an individual        for each system. The        also\n          identifies the management controls around risk\n          assessments, planning, security assessments,          ,\n          and systems and services acquisition.\nTSA-IT-   Of the 669 employees/contractors with current access         We recommend that TSA perform the following                          X      Medium\n08-15     to the following TSA\xe2\x80\x99s financial applications:               corrective actions:\n                                   152 employees/contractors have      x Enforce mandatory completion of Security\n          not completed the IT Security Awareness Training                 Awareness Training by holding groups\n                                                                           responsible and accountable as a\n                                                                           performance measure for monitoring the\n                                                                           training of their employees.\n                                                                       x Revoke system access of employees who do\n                                                                           not complete the required annual security\n                                                                           awareness training before the deadline and\n                                                                           until the employees subsequently completes\n                                                                           the required training.\nTSA-IT-   Configuration management weaknesses continue to              We recommend that TSA work with the DHS                              X      Medium\n08-18     exist on hosts supporting the       and                      Chief Information Officer to ensure that Coast\n                     applications and the                              Guard\xe2\x80\x99s             completes, in a timely manner,\n                                                                       the planned corrective actions of the following:\n          Note: See the tables in the NFR for the specific             x Implement the corrective actions noted in\n          conditions.                                                      the tables above.\n                                                                       x Implement polices and procedures to ensure\n                                                                           that the software builds created by CG are\n                                                                           tested, prior to implementation, to ensure that\n                                                                           all software security configurations, such as\n\n\n                                                                         82\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                      Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                                      Repeat    Risk\nNFR #                           Condition                                          Recommendation                         New Issue\n                                                                                                                                       Issue   Rating\n                                                                                                                      ,\n                                                                        are up to date.\nTSA-IT-   Patch management weaknesses continue to exist on         We recommend that TSA work with the DHS                              X      Medium\n08-19     hosts supporting the                                     Chief Information Officer to ensure that Coast\n          applications and the                                     Guard Headquarters\xe2\x80\x99 completes, in a timely\n                                                                   manner, the planned corrective actions of the\n          Note: See the tables in the NFR for the specific         following:\n          conditions.                                              x Implement the corrective actions noted in\n                                                                        the NFR.\n                                                                   x Implement polices and procedures to ensure\n                                                                        that the software builds created by CG are\n                                                                        tested, prior to implementation, to ensure that\n                                                                        all software security configurations, such as\n                                                                                          .\nTSA-IT-   We were unable to obtain 21 1163 Forms and 27 1402       We recommend that TSA perform the following                          X      Medium\n08-20     Forms for each sample of 40. Additionally, 2 of the      corrective actions:\n          13 1402 Forms received were signed after the forms       x Implement the Employee Exit Clearance\n          were requested for audit.                                     Procedures by completing, certifying, and\n                                                                        maintaining all forms required during the\n          The IT Security Policy Handbook requires all TSA              exit process for employees and contractors.\n          personnel including contractors to review and sign the\n          TSA Form 1403: Computer Access Agreement.\n                                                                   x    Implement the IT Security Policy Handbook\n                                                                        by verifying that all TSA employees and\n          However, we were unable to obtain 7 of the 25, 1403:\n                                                                        contractors sign a computer access agreement\n          Computer Access Agreements sampled. Of the 18\n                                                                        prior to being granted system access.\n          forms we obtained, 5 were dated after the sample was\n          requested for audit.\n\n\n\n\n                                                                       83\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                   Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n\n                                                                                                                                   Repeat    Risk\nNFR #                           Condition                                          Recommendation                      New Issue\n                                                                                                                                    Issue   Rating\nTSA-IT-   The change control policy has not been fully              We recommend TSA continue to complete and                         X     Medium\n08-21     completed and implemented. CG is responsible for          implements the following sections of the\n          making software changes to the                                                Change Control Policy: Build\n                                , however, on March 31, 2008,       Selection Process, Software Development Process,\n          CG HQ terminated its contract with the software           and Software Testing Process.\n          vendor/developer for                             which\n          has hindered TSA\xe2\x80\x99s ability to fully complete and\n          implement the                            change\n          control policy.\n\nTSA-IT-   Control weaknesses still exist within the design of       We recommend that TSA work with the DHS                          X       High\n08-22     Coast Guard\xe2\x80\x99s Configuration Management policies           Chief Information Officer to ensure that Coast\n          and procedures for                              as well   Guard Headquarters\xe2\x80\x99 completes, in a timely\n          as the operating effectiveness of those controls. Our     manner, the planned corrective actions of the\n          test work over the design of the change controls          following:\n          covered both periods of the change control                x The              develop, implement,\n          environment; however, our testing of operating                 communicate, and enforce procedures\n          effectiveness covered only the period of start of the          regarding how changes are to be controlled,\n          fiscal year through March 2008, since there were no            documented, tracked, and reviewed as these\n          changes made to                                 from           changes progress through testing and into\n          April through the remainder of the fiscal year.                production.\n                                                                    x Coast Guard Headquarters develop,\n                                                                         implement, communicate, and enforce\n                                                                         procedures regarding how change control\n                                                                         documentation will be maintained, reviewed,\n                                                                         and validated in accordance with the DHS\n                                                                         Sensitive System Policy Directive 4300A.\n\n\n\n\n                                                                      84\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                      Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                                      Repeat    Risk\nNFR #                           Condition                                           Recommendation                        New Issue\n                                                                                                                                       Issue   Rating\nTSA-IT-   Coast Guard\xe2\x80\x99s controls over the scripting process         TSA does not have the ability to take corrective                     X      High\n08-23     remain ineffective. Weaknesses were noted in controls     actions to remediate these control issues on their\n          over script implementation, approvals and testing, as     own. Therefore it should be made clear that TSA\n          well as active script modification. In addition, Coast    is dependent on the Coast Guard to take the\n          Guard has not maintained or developed a population        necessary action. In order for management to\n          of scripts run since the inception of      in 2003 nor    assert to any financial statement line items, we\n          has it performed a historical analysis of script impact   recommend that TSA work with the DHS Chief\n          on the cumulative balances in permanent accounts of       Financial Officer and the DHS Chief Information\n          the financial statements. Specifically:                   Officer to ensure that Coast Guard Headquarters'\n            x Coast Guard lacks a formal process to distinguish     completes, in a timely manner, the planned\n              between the module lead approvers for script          corrective actions to:\n              approval requests (Conditions #1 & #2);               x Continue to design, document, implement, and\n                                                                         demonstrate the effectiveness of internal\n            x The Procedures for                        do not           controls associated with the active (current\n              specifically state the testing and documentation           and future) scripts.\n              requirements for blanket approval scripts and this\n                                                                    x Identify and evaluate the historical scripts (all\n              policy remains in draft form (Conditions # 3 &\n                                                                         those implemented prior to those identified in\n              #4);\n                                                                         recommendation 1 above) to determine the\n            x Coast Guard does not monitor scripts run in the            financial statement impact on cumulative\n              database through audit logging and has not                 balances in permanent accounts; and develop\n              developed a technical solution to monitor who              and maintain supporting procedures related to\n              accesses the database through              to              each script.\n              run scripts or review what scripts are run            With respect to procedures already in place, TSA\n              (Conditions #5 & #6);                                 should work with the DHS Chief Financial Officer\n            x The                          does not consistently    and the DHS Chief Information Officer to ensure\n              include all testing, approval, and implementation     that Coast Guard Headquarters completes, in a\n              documentation for all scripts (Condition #7); and     timely manner, the corrective actions to:\n                                                                    x Continue to update script policies and\n            x Coast  Guard has not completed                             procedures to include clear guidance over\n              documentation for all scripts executed since their         module lead approvers, testing and\n              implementation (Condition #8).                             documentation requirements, monitoring/audit\n          Additionally, although Coast Guard did conduct an              log    reviews,      and  blanket    approval\n\n\n                                                                      85\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                        Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2008\n\n\n                                                                                                                                        Repeat    Risk\nNFR #                         Condition                                             Recommendation                          New Issue\n                                                                                                                                         Issue   Rating\n        examination with an external contractor organization,           requirements.\n        we have determined that the analysis was incomplete.       x   Finalize and implement policies and\n        Specifically, due to the many limitations over scope, it       procedures governing the script change control\n        did not consider the full population of scripts run at         process including completing records within\n                   currently or since the inception of                 the                            for all executed\n        Furthermore, the analysis did not properly evaluate            scripts and ensuring that all scripts are tested\n        scripts as to financial statement impact, including            in an appropriate test environment prior to\n        current versus prior year effect (Condition #9)                being put into production.\n                                                                   Regarding the actual scripts themselves, TSA\n                                                                   should work with the DHS Chief Financial Officer\n                                                                   and the DHS Chief Information Officer to ensure\n                                                                   that Coast Guard Headquarters completes, in a\n                                                                   timely manner, the corrective actions to:\n                                                                   x Determine the root causes and specific\n                                                                       detailed actions necessary to correct the\n                                                                       conditions that resulted in scripts, for the total\n                                                                       population of scripts run at             in order\n                                                                       to develop system upgrades that would\n                                                                       eliminate the use of some of the scripts.\n                                                                   x    Continue efforts to complete an in-depth\n                                                                        analysis of active scripts, with the following\n                                                                        objectives:\n                                                                         o All changes to active scripts and new\n                                                                           scripts should be subject to an appropriate\n                                                                           software change control process to include\n                                                                           testing, reviews, and approvals.\n                                                                         o All active scripts should be reviewed for\n                                                                           impact on financial statement balances.\n\n\n\n\n                                                                       86\n               Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                        Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2008\n\n\n                                                                                                                                        Repeat    Risk\nNFR #                           Condition                                            Recommendation                         New Issue\n                                                                                                                                         Issue   Rating\nTSA-IT-   Although Coast Guard Headquarters is in the process       We recommend that TSA work with the DHS                                X     Medium\n08-24     of completing background investigations for all           Chief Information Officer to ensure that Coast\n          civilian employees, this has not been completed.          Guard Headquarters' completes, in a timely\n          Additionally, Coast Guard has set its position            manner, the following planned corrective actions:\n          sensitivity designations to Low for the majority of its\n          employees. However, DHS requires position                 x    Perform the initial background investigations\n          sensitivity designations no less than Moderate which           and re-investigations for civilian employees in\n          equates to a      .                                            accordance      with     position    sensitivity\n                                                                         designations at no less than the Moderate level\n                                                                         as required by DHS directives; and\n                                                                    x   Conduct civilian background re-investigations\n                                                                        every ten (10) years, as required by DHS\n                                                                        directives, to ensure that each employee has a\n                                                                        favorably adjudicated and valid\nTSA-IT-   Although procedures surrounding user access privilege     We recommend that TSA work with the DHS                    X                 Medium\n08-26     re-certifications have been developed we noted that       Chief Information Officer to ensure that the Coast\n          the process does not include all             and          Guard\xe2\x80\x99s            completes, in a timely manner,\n                      users and does not involve users\xe2\x80\x99             the planned corrective actions to:\n          supervisors as required by the DHS Sensitive System       x Implement and document the             user\n          Policy Directive 4300A. Additionally, we noted that           access review procedures to include all\n          AAR forms are not being completed for all users on a          access privileges and include supervisors in\n          consistent basis and we identified instances where            each review.\n          system access was granted prior to the AAR approval\n          by a supervisor.                                          x    Update procedures to ensure that a\n                                                                         documented and approved access\n                                                                         authorization request is completed for each\n                                                                         individual prior to granting him/her access to\n                                                                         the                             applications or\n                                                                         databases.\n\n\n\n\n                                                                        87\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                     Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n\n                                                                                                                                     Repeat    Risk\nNFR #                           Condition                                           Recommendation                       New Issue\n                                                                                                                                      Issue   Rating\nTSA-IT-   Although TSA has implemented quarterly access             We recommend that TSA update the                        X                 Medium\n08-27     reviews for                user accounts and identified   and        Site Administrator User and Role\n          accounts with elevated privileges, TSA has not            Quarterly Review Process to include procedures\n          ensured that the                accounts with an          surrounding the recertification of accounts with\n          increased risk associated with them are                   elevated privileges on the      . In addition, the\n          reviewed/authorized on a periodic basis by a              recertification process should be documented,\n          supervisor.                                               include supervisor written approval and occur on\n                                                                    an at least annual basis.\n\n\n\n\n                                                                      88\n                 Information Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                          Appendix C\n\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2008\n\n\n\n\n                                  Appendix C\n\nStatus of Prior Year Notices of Findings and Recommendations\n                     And Comparison To\n   Current Year Notices of Findings and Recommendations\n\n\n\n\n                                         89\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                       Appendix C\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2008\n                                                                                    Disposition\nComponent   NFR #                          Description                           Closed       Repeat\n   CIS      CIS-IT-   The NBC has not defined or documented the                              CIS-IT-\n             07-01    appropriate user permissions for the various roles                      08-01\n                      granted to\n   CIS      CIS-IT-   NBC does not perform periodic                       user              CIS-IT-\n             07-02    access reviews to ensure that users' level of access                   08-02\n                      remains appropriate.\n\n\n   CIS      CIS-IT-   Management at the CIS HQ and the Service Centers                      CIS-IT-\n             07-03                                              has not                      08-03\n                      completed or inadequately completed access forms for\n                                                                system\n                      users.\n   CIS      CIS-IT-   Access to the                  security software is not               CIS-IT-\n             07-04    appropriately authorized and documented. Specifically,                 08-04\n                      we noted there are 22 individuals with administrator\n                      access in                  . However, CIS could not\n                      provide evidence that the access was limited and\n                      authorized.\n   CIS      CIS-IT-   We noted various matters which, when considered in           X\n             07-05    aggregate with other DHS IT findings, indicate that\n                      ineffective general controls exist over financial\n                      management information systems at CIS. Specifically,\n                      these matters are highlighted in the related CIS\n                      information technology NFRs. See previously issued\n                      NFRs: CIS-IT-07-01 through CIS-IT-07-04.\n\n   ICE      ICE-IT-   From a sample of five users with multiple accounts           X\n             07-01    (ten accounts), which were selected from throughout\n                      the year,         access request forms could not be\n                      provided for four accounts. However, all of these\n                      accounts for which the appropriate forms could not be\n                      provided were initiated in the period prior to a new\n                      policy being implemented. For those four accounts\n                      that were initiated after April 1, 2007, such access\n                      forms were appropriately completed.\n   ICE      ICE-IT-   There is excessive access to the                             X\n             07-02                                     . Currently, over 800\n                      individuals have access to the computer room.\n   ICE      ICE-IT-   The following weaknesses in           access controls        X\n             07-03    were identified:\n                      x           Access Request forms could not be\n                            provided for 14 of 60 user accounts.\n                      x           Update/Enter Profile Request forms could\n\n                                                 90\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                           Appendix C\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2008\n                                                                                        Disposition\nComponent   NFR #                            Description                             Closed       Repeat\n                            not be provided for 6 of 30 administrator accounts.\n                      x     Procedures have not been documented for\n                            immediately removing        accounts upon\n                            termination or transfer.\n                      x     Procedures have not been established for\n                            identifying and disabling       accounts after 30\n                            days of inactivity.\n   ICE      ICE-IT-   The following weaknesses in                                               ICE-IT-\n             07-04                                            access controls                    08-04\n                      were identified:\n                      x             Access Request Forms for 5 of 60 accounts\n                            were not provided, not completed, or not signed by\n                            the user\xe2\x80\x99s supervisor.\n                      x     Evidence of account authorization could not be\n                            provided for seven of ten       administrator\n                            accounts.\n                      x     Procedures have not been documented for\n                            immediately removing         user accounts upon\n                            termination or transfer.\n                      x     Procedures for identifying and disabling\n                            accounts after 30 days of inactivity are in draft\n                            format and have not been standardized across the\n                            ICE enterprise.\n                      x     Procedures have not been established for\n                            periodically recertifying or reviewing privileged\n                                   accounts.\n   ICE      ICE-IT-   ICE does not perform periodic reviews of           audit         X\n             07-05    logs.\n   ICE      ICE-IT-   ICE does not perform periodic reviews of               audit     X\n             07-06    logs.\n   ICE      ICE-IT-   Evidence of approved emergency change requests are               X\n             07-07    not maintained, which would support the validity and\n                      authorization of the changes.\n   ICE      ICE-IT-   We noted various matters which, when considered in               X\n             07-08    aggregate with other DHS component findings,\n                      indicate that ineffective general controls exist over\n                      financial management information systems at ICE.\n                      Specifically, these matters are highlighted in the ICE\n                      information system related NFRs. See previously\n                      issued NFRs, ICE-IT-07-01 through ICE-IT-07-07.\n\n  CBP       CBP-IT-   Due to the design of         certain controls can be             X\n\n                                                  91\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                        Appendix C\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2008\n                                                                                     Disposition\nComponent   NFR #                           Description                           Closed       Repeat\n            07-01     overridden without supervisory approval. For\n                      example, when a CBP entry specialist attempts to\n                      liquidate an import entry in       the system displays a\n                      warning message, indicating that a drawback claim had\n                      been filed against the import entry. However, entry\n                      specialists could override the warning message without\n                      supervisory review and process a refund without\n                      investigating pending drawback claims. The purpose\n                      of this warning message is to ensure that both a refund\n                      and drawback are not paid on the same goods. We also\n                      determined that entry specialists could override system\n                      edits designed to detect refunds exceeding the total\n                      duty, tax, and fees paid on an import entry.       does\n                      not currently generate override reports for supervisory\n                      review.\n                      In FY 2007, we noted that there has been little change\n                      in the status of this finding. CBP is developing a\n                      control override report which will record all control\n                      overrides that have taken place for a period of time.\n                      Management stated that the         will not be\n                      implemented in FY 2007. We concluded that a control\n                      mechanism to prevent overrides by specialists without\n                      supervisory approval would be an appropriate technical\n                      safeguard under application controls.\n  CBP       CBP-IT-   A full listing of trade partners was never compiled to                 CBP-IT-\n             07-02    assess the full scope of the status of connections to                   08-02\n                              We noted that a complete and accurate listing is\n                      still not maintained. Of those connections that have\n                      been accounted for, we noted that only 7% of\n                      identified legacy connections had an Interconnection\n                      Security Agreement (ISA) that has not expired. We\n                      noted that a                                  solution is\n                      being phased in and legacy connections are being\n                      phased out and that significant progress is being made\n                      to move all existing trade partners to the new\n                      solution, in which they will obtain an ISA\n                      documenting the connection.\n  CBP       CBP-IT-   CBP does not maintain a centralized listing of contract                CBP-IT-\n             07-03    personnel, including employment status. The only                        08-03\n                      method CBP employs to track terminated contractors is\n                      the use of a report of users that had their mainframe\n                      accounts deleted. We cannot acknowledge this list as\n                      representative of all terminated contractors, since\n                      terminated contract personnel may not have mainframe\n                      access or their access was not removed after their\n                      termination.\n  CBP       CBP-IT-   We confirmed that in FY 2007, backup tapes do not             X\n\n\n                                                 92\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                       Appendix C\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2008\n                                                                                    Disposition\nComponent   NFR #                             Description                        Closed       Repeat\n            07-04     have external labels affixed in order to indicate the\n                      sensitivity of the data contained in the tapes. Instead,\n                      containers in which the tapes are stored are labeled\n                      with media labels. Currently, CBP has obtained a\n                      waiver which waives the responsibility to label media\n                      directly. However, CBP remains non-compliant and\n                      the risk still remains.\n  CBP       CBP-IT-   We noted the following issues related to password\n             07-05    parameters:\n                      x                  minimum password length is set to six\n                            characters\n                      x     Password complexity is not set on the                  X\n\n                      x                                      minimum\n                            password length is set to six characters\n                      x     Password complexity is not set on the\n  CBP       CBP-IT-   We noted the following issues:\n             07-06\n                      x     CBP\xe2\x80\x99s policy stated that sessions should\n                            automatically disconnect after 30 minutes of\n                            inactivity, which is not consistent with DHS\n                            policy.\n                      x     CBP\xe2\x80\x99s policy stated that the workstation should\n                            log off from all connections after 5 minutes of        X\n                            inactivity. According to applicable guidance, all\n                            system connections do not have to be terminated\n                            after 5 minutes of inactivity on the workstation.\n                      x     CBP workstations could not enforce the activation\n                            of a password-protected screensaver after five\n                            minutes of inactivity. The settings could be\n                            disabled or changed by individual users.\n  CBP       CBP-IT-   We determined that               does not have the\n             07-07    ability to prevent developers from overwriting existing\n                      code in the development environment. The developer\n                      is able to extract the code from the development\n                      environment and place it into a personal folder on the       X\n                      user\xe2\x80\x99s personal computer. If multiple users are\n                      modifying a program in their own personal folders\n                      they may be overwriting existing changes.\n  CBP       CBP-IT-   A solution has not been implemented to maintain                       CBP-IT-\n             07-08          audit logs for an appropriate period of time.                    08-08\n                      Audit logs are not being reviewed for security\n                      violations for the\n  CBP       CBP-IT-   We noted that accounts are not deactivated                            CBP-IT-\n\n\n                                                   93\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                       Appendix C\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2008\n                                                                                    Disposition\nComponent   NFR #                            Description                         Closed       Repeat\n            07-09     automatically after 30 days of inactivity. Accounts are                 08-09\n                      disabled for inactivity once a month using a manually\n                      initiated job.\n  CBP       CBP-IT-   We reviewed the procedures and evidence of the most\n             07-10    recent recertification performed for physical access to\n                      the data center. We noted the following:\n                      x     Two people had access that was not appropriately\n                            documented with an approved access request form.\n                                                                                   X\n                      x     One terminated employee retained access after the\n                            recertification.\n                      x     One user was marked to be removed as a result of\n                            the recertification but was not removed\n                            appropriately.\n  CBP       CBP-IT-   CBP System Security does not consistently retain audit\n             07-11    logs of powerful mainframe system utilities. We\n                      reviewed the existence of               logs for a\n                      selection of dates and noted that logs were not\n                      available for a series of dates. We noted that within a      X\n                      90 day window, complete logs were available for all\n                      selected dates except one. For the year long window,\n                      17 summary reports were unavailable.\n  CBP       CBP-IT-   As identified in prior year issues reported in FY 2003,               CBP-IT-\n             07-12    FY 2004, FY 2005 and FY 2006, we noted that                            08-12\n                      improvements are still needed in CBP\xe2\x80\x99s Incident\n                      Handling and Response Capability which may\n                      potentially limit CBP\xe2\x80\x99s ability to respond to incidents\n                      in an appropriate manner. In FY 2007, we noted that\n                                               will not be installed on all\n                      workstations for the majority of the fiscal year.\n  CBP       CBP-IT-   During testwork around the application of security                    CBP-IT-\n             07-13    patches, we noted that a complete listing of                           08-13\n                      workstations is not maintained                       .\n                      We noted that                     does not have the\n                      ability to quickly compile a listing of all workstations\n                      under CBP\xe2\x80\x99s ownership.\n  CBP       CBP-IT-   We noted that tape withdrawal requests are not\n             07-14    documented.                                                  X\n\n  CBP       CBP-IT-   We noted that the        is currently configured to\n             07-15    disable accounts after 90 days of inactivity. We also\n                      noted that the job is configured to run weekly, which\n                      does not comply with the requirement for automatic           X\n                      disabling of accounts.\n\n\n\n\n                                                 94\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                        Appendix C\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2008\n                                                                                     Disposition\nComponent    NFR #                          Description                           Closed       Repeat\n  CBP       CBP-IT-   We noted that the       has been adjusted to limit                      CBP-IT-\n             07-16    active emergency access to 24 hours after the request.                   08-16\n                      We noted however that the emergency table is still\n                      being used and that administrator or supervisory\n                      approval is not required each time emergency access is\n                      activated.\n  CBP       CBP-IT-   CBP                    does not conduct reviews of\n             07-17    powerful system utilities. Specifically, the utilities\n                                                                           are\n                      not reviewed by management.\n                                                                                    X\n                      Additionally, while procedures are now in place for\n                      review of these logs, these procedures were not in\n                      place for the majority of the fiscal year.\n  CBP       CBP-IT-   We noted there are currently no procedures in place for                 08-18\n             07-18    the completion of semi-annual recertifications of\n                             accounts. We also note that a recertification of\n                                  accounts is not performed on a semi-annual\n                      basis.\n  CBP       CBP-IT-   We noted that the completion of security awareness\n             07-19    training is not appropriately tracked at CBP. We noted\n                      that out of a selection of 45 CBP employees, one\n                      employee maintained access to          without having\n                      completed the refresher security awareness training           X\n                      course. The individual completed an awareness course\n                      that was not the CBP-wide security awareness training\n                      required for all CBP employees.\n  CBP       CBP-IT-   We noted several access control weaknesses for the\n             07-20        solution during testwork. Specifically, we noted:\n                      x     The       sever does not maintain information on\n                            user account creation and inactivity and therefore\n                            cannot terminate inactive accounts or provide audit\n                            information regarding the creation of\n                            accounts,\n                      x     Accounts that did not recertify during the              X\n                            recertification time period or were marked for\n                            deletion during the recertification period remained\n                            active on the system after the accounts should have\n                            been deactivated by        administrators,\n                      x     Procedures for recertifying accounts were not fully\n                            implemented and accounts were recertified by\n                            means beyond those identified in documented\n                            procedures\n  CBP       CBP-IT-   We noted that when changes to a user\xe2\x80\x99s access are                      CBP-IT-\n             07-21    performed in             , the log of these events is                   08-21\n\n\n                                                  95\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                     Appendix C\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2008\n                                                                                  Disposition\nComponent   NFR #                           Description                        Closed       Repeat\n                      not regularly reviewed by personnel independent from\n                      those individuals that made the changes.\n  CBP       CBP-IT-   We noted that the following documents as not having\n             07-22    documented approval and/or approval dates:\n                      x     System Development Life Cycle (SDLC)\n                            Configuration Management Plan \xe2\x80\x93 No approval for\n                            majority of fiscal year\n                      x     Configuration Management Code Migration\n                            Procedures for    \xe2\x80\x93 No approval or effective\n                            date\n                                                                                 X\n                      x     Configuration Management Code Migration\n                            Procedures for    \xe2\x80\x93 No approval date or\n                            effective date\n                      x     Production Management Team Procedures \xe2\x80\x93 No\n                            approval, no change history\n                      x     NDC Operations: Standard Operating Procedures\n                            \xe2\x80\x93 No approval\n  CBP       CBP-IT-   3 out of 5 selected    Emergency Changes did not\n             07-23    have post implementation Executive Approval as\n                      required by the new OIT emergency change                   X\n                      procedures.\n  CBP       CBP-IT-   The       re-certification process has several\n             07-24    weaknesses. Of the 45 selected ports, 45 ports did not\n                      have formally documented communication between\n                      the responsible Director of Field Operations (DFO)         X\n                      and Office of Field Operations (OFO) HQ as directed\n                      by the FY 2006 memorandum put out by Office of\n                      Finance.\n  CBP       CBP-IT-   We noted that the             does not have an\n             07-25    Information System Security Officer (ISSO), but has\n                      been assigned an interim ISSO. We noted that this          X\n                      interim ISSO is not formally documented as the\n                            ISSO.\n  CBP       CBP-IT-   We noted that evidence of the review of mainframe                   CBP-IT-\n             07-26    security violation logs for 6 of 25 dates were not                   08-26\n                      available for review.\n  CBP       CBP-IT-   We noted that authorizations are not being maintained               CBP-IT-\n             07-27    for personnel that have administrator access to                      08-27\n\n  CBP       CBP-IT-   We noted that access policies and procedures have not               CBP-IT-\n             07-28    been formally documented for the               We                    08-28\n                      also noted that access authorization forms were not\n\n\n                                                 96\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                       Appendix C\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2008\n                                                                                    Disposition\nComponent   NFR #                          Description                           Closed       Repeat\n                      completed for 27 out of 45 accounts created in FY\n                      2007.\n  CBP       CBP-IT-   We noted that procedures have been developed and a                    CBP-IT-\n             07-29    new termination form (CF-241) has been developed for                   08-29\n                      use in terminating employees. We note that while\n                      these procedures address the submission of the form to\n                                       and require notification of removal of\n                      system access from                   , the new\n                      procedures were developed and activated in June,\n                      2007. The procedures are currently not implemented,\n                      however.\n  CBP       CBP-IT-   We noted that multiple terminated employees retained\n             07-30    active accounts on the        They were disabled as a\n                      result of accounts being inactive for 90 days.               X\n                      Therefore, these accounts were active 90 days after the\n                      employee terminated from CBP.\n  CBP       CBP-IT-   We noted that 12 of the 45 selected ports/headquarters\n             07-31    did not have self inspection worksheets completed.\n                      Accordingly, we were not able to determine whether           X\n                      specific      high risk combinations of roles were\n                      performed at these ports/headquarters.\n  CBP       CBP-IT-   We selected 20 out of 201 changes and noted the\n             07-32    following:\n                      x     9 of the 20 changes did not have formal test plans\n                            or documented results                                  X\n\n                      x     20 of the 20 changes did not have evidence of\n                            review of the documented test results.\n  CBP       CBP-IT-   We selected 15 of 90         changes and noted the\n             07-33    following:\n                      x     3 of the 15 selected changes did not have formally\n                            documented test plans or test results.                 X\n\n                      x     15 of the 15 changes did not have evidence of\n                            review of the test results documented.\n  CBP       CBP-IT-   We noted that virus protection is not installed on all                CBP-IT-\n             07-34    CBP workstations. Specifically, we noted at the time                   08-34\n                      of testing that approximately 6000 of CBP\xe2\x80\x99s\n                      approximate 38000 workstations do not have antivirus\n                      protection installed. Since the initial testing was\n                      performed, we noted that immediate remediation has\n                      begun and as of September 28, improvements have\n                      been made but 1,557 out of 42,429 workstations still\n                      are missing virus protection software.\n  CBP       CBP-IT-   During our technical testing, eighteen configuration                  CBP-IT-\n\n                                                  97\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                           Appendix C\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2008\n                                                                                        Disposition\nComponent   NFR #                        Description                                 Closed       Repeat\n            07-35     management exceptions were identified on                                    08-35\n\n                                   and hosts supporting the         application.\n  CBP       CBP-IT-   During our technical testing, thirty-seven patch                          CBP-IT-\n             07-36    management exceptions were identified on                                   08-36\n\n                                   and hosts supporting the         application.\n\n   CG       CG-IT-              has replaced the            concept with the                     CG-IT-\n            07-01     development of a            which addresses disaster                        08-01\n                      recovery, business continuity and continuity of\n                      government. However,                   is in draft form and\n                      has not yet been tested and the            with the      for\n                      reciprocal services is still in draft form as well.\n   CG       CG-IT-    The             change control policy does not detail            X\n            07-02     requirements for requesting, testing, and approving\n                      changes. Furthermore, there are no formalized\n                      requirements pertaining to retention of supporting\n                      documentation and the roles and responsibilities of\n                                personnel in the process. Additionally, the\n                      policy does not adequately reflect the\n                      environment and change control process that was\n                      utilized during the           upgrade performed\n                      during FY07. Examples of inconsistencies include the\n                      references to service packs, data fixes, and the testing\n                      procedures completed.\n   CG       CG-IT-    The         system does not meet DHS password                    X\n            07-03     complexity requirements and the        system is not\n                      scheduled for decommissioning until December 2007.\n   CG       CG-IT-    There are 4 conditions present in this NFR, which were           X\n            07-04     identified during our FY07 follow-up testwork\n                      associated with NFR CG-IT-06-013:\n                      x     From October 1 2006 through July 24, 2007, PSC\n                            had not yet implemented policies and procedures\n                            for use in managing terminations, including the\n                            use of the Outgoing Personnel Form.\n                      x     Outgoing Personnel Forms were not completed for\n                            one of five individuals selected for testing.\n                      x     One terminated individual remained active within\n                                    until 90 days after his last logon before his\n                            account was revoked as part of the\n                            account review process.\n                      x     The account of a second terminated individual\n                            remains active within the system, although it has\n\n\n                                                   98\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                       Appendix C\n\n                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2008\n                                                                                    Disposition\nComponent   NFR #                             Description                        Closed       Repeat\n                           been configured to automatically log out the\n                           terminated individual if he attempts to login.\n                           Although this is a low risk issue, the existence of\n                           this account still presents a potential risk to the\n                                    data.\n   CG       CG-IT-   Policies and procedures regarding requesting,                 X\n            07-05    authorizing, testing, and approving operating system\n                     changes are not consistently followed. Additionally, a\n                     testing baseline standard has not been established to\n                     ensure that operating system changes have not\n                     adversely affected portions of the system that were not\n                     intended to be affected. Lastly,      was unable to\n                     reconcile changes to the operating system to a listing\n                     of authorized operating system changes to ensure that\n                     all changes have been appropriately approved.\n   CG       CG-IT-   The contract CG HQ has with the                                         CG-IT-\n            07-06    software vendor does not include security                                08-06\n                     configuration requirements that must be adhered to\n                     during the configuration management process.\n                     Consequently,                  builds and maintenance\n                     packs may not be configured and implemented with\n                     comprehensive security configuration requirements.\n                     CG recognizes the absence of security requirements\n                     and indicated that the contract with the vendor will be\n                     reassessed in 2008 during the contract renewal process\n                     with CG HQ and corrective actions will be taken at\n                     that time.\n   CG       CG-IT-        has not implemented the following password                         CG-IT-\n            07-07    requirements:                                                            08-07\n                     x     Passwords shall contain special characters\n                     x     Passwords shall not contain any dictionary word\n                     x     Passwords shall not contain any proper noun or\n                           name of any person, pet, child, or fictional\n                           character\n                     x     Passwords shall not contain any employee serial\n                           number, social security number, birth date, phone\n                           number, or any information that could be readily\n                           guessed about the creator of the password\n                     x     Passwords shall not contain any simple pattern of\n                           letters or numbers, such as qwerty or xyz123\n                     x     Passwords shall not be any word, noun, or name\n                           spelled backwards or appended with a single digit\n                           or with a two digit year string, such as 98xyz123\n\n\n\n                                                  99\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                      Appendix C\n\n                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2008\n                                                                                   Disposition\nComponent   NFR #                          Description                          Closed       Repeat\n                     x     Passwords shall not be the same as the User ID\n   CG       CG-IT-   Two generic accounts have access to            and           X\n            07-08                   . Additionally, we determined that the\n                                      and               settings were not\n                     enabled. Furthermore, four accounts assigned to\n                     personnel had both SPECIAL and                   , two\n                     of which were system programmers.\n   CG       CG-IT-   Every individual with access to the            data          X\n            07-09    center has not completed the required emergency\n                     response training. Additionally, four employees were\n                     identified with 24 hour access to the data center that\n                     had not completed the training as of July 2007.\n                     Lastly, the security guards, with unrestricted access to\n                     the data center, have not yet been required to complete\n                     the training.\n   CG       CG-IT-   No formal procedures have been developed or                            CG-IT-\n            07-10    implemented by CG HQ to address DHS requirements                        08-10\n                     surrounding the suitability screening of contractors\n                     accessing DHS IT systems. DHS directives and\n                     policies require CG and other DHS components to\n                     ensure the completion of background investigations for\n                     all contractors accessing IT systems. The type of\n                     background investigation should be based on the risk\n                     level of the job position at CG and should be\n                     completed prior to the start of work. However, no CG\n                     guidance exists to require CG components to clear\n                     their contractors for suitability, especially those with\n                     sensitive IT positions.\n   CG       CG-IT-   Session lockout times need to be changed from 40 to          X\n            07-11    20 minutes to meet DHS requirements.\n   CG       CG-IT-   The                        Disaster Recovery Plan has        X\n            07-12    not been tested and we were unable to obtain a\n                     finalized MOU between        and           .\n   CG       CG-IT-        is not consistently following the        for all        X\n            07-13             application changes. For four system change\n                     proposals and their associated sub-tasks, supporting\n                     documentation (i.e., evidence of testing, peer reviewer,\n                     approvals, evidence of joint application design\n                     meetings and business sponsor approvals) was not\n                     available.\n   CG       CG-IT-   Lack of criteria for defining personnel with significant               CG-IT-\n            07-14    IT responsibilities within the USCG IT Security                         08-14\n                     Awareness, Training and Education Plan.\n                     Additionally, the personnel that are defined in the\n                     guidance are very limited and do not fully cover the\n                     scope of security responsibilities addressed in DHS\n\n                                                100\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                     Appendix C\n\n                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2008\n                                                                                  Disposition\nComponent   NFR #                           Description                        Closed       Repeat\n                     requirements.\n   CG       CG-IT-   The         application database          is using                    CG-IT-\n            07-15                           , which is no longer supported                  08-15\n                     by the vendor. Additionally, an account on the\n                     database has a password the same as account name\n                     (sccr_browse). The database also has a directory\n                     manipulation vulnerability in the binary file oracle.\n   CG       CG-IT-        has developed and implemented policies and             X\n            07-16    procedures that address the review of inactive\n                     accounts and lock those that have been inactive for 90\n                     days. However, DHS guidance requires that inactive\n                     accounts be locked after 30 days.\n   CG       CG-IT-               access control weakness were noted:                       CG-IT-\n            07-17                                                                           08-17\n                     x     Passwords shall contain special characters\n                     x     Passwords shall not contain any dictionary word\n                     x     Passwords shall not contain any proper noun or\n                           name of any person, pet, child, or fictional\n                           character\n                     x     Passwords shall not contain any employee serial\n                           number, social security number, birth date, phone\n                           number, or any information that could be readily\n                           guessed about the creator of the password\n                     x     Passwords shall not contain any simple pattern of\n                           letters or numbers, such as qwerty or xyz123\n                     x     Passwords shall not be any word, noun, or name\n                           spelled backwards or appended with a single digit\n                           or with a two digit year string, such as 98xyz123\n   CG       CG-IT-          access control weaknesses were noted:                X\n            07-18\n                     x     Passwords shall contain special characters\n                     x     Passwords shall not contain any dictionary word\n                     x     Passwords shall not contain any proper noun or\n                           name of any person, pet, child, or fictional\n                           character\n                     x     Passwords shall not contain any employee serial\n                           number, social security number, birth date, phone\n                           number, or any information that could be readily\n                           guessed about the creator of the password\n                     x     Passwords shall not contain any simple pattern of\n                           letters or numbers, such as qwerty or xyz123\n\n\n\n                                                101\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                         Appendix C\n\n                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2008\n                                                                                      Disposition\nComponent   NFR #                           Description                            Closed       Repeat\n                     x     Passwords shall not be any word, noun, or name\n                           spelled backwards or appended with a single digit\n                           or with a two digit year string, such as 98xyz123\n                     x           accounts of terminated individuals are not\n                           removed in a timely manner including one\n                           individual who had user account management\n                           capabilities within the system. Additionally,\n                           application and database accounts are not being\n                           reviewed for appropriateness.\n   CG       CG-IT-          access control weaknesses were noted:                    X\n            07-19\n                     x     Documented access request forms could not be\n                           located for two new    users granted access to\n                           the application.\n                     x          accounts are not immediately disabled upon\n                           an employee\xe2\x80\x99s termination.\n                     x     Procedures have not been developed to require\n                           periodic account reviews to be performed to\n                           ensure that all users and their associated privileges\n                           are appropriate.\n                     x           has not been configured to track and\n                           deactivate accounts that have not been used in 30\n                           days.\n                     x     An excessive number of individuals have user\n                           administrator capabilities within     until the\n                           implementation of the centralized user\n                           management (August 19, 2007).\n                     x     Password configuration is not in compliance with\n                           DHS guidance.\n   CG       CG-IT-   The periodic review of                  accounts only           X\n            07-20    cover 1% of all user accounts with roles greater than\n                                   and that have been modified within the\n                     last 90 days. The population that is validated during\n                     this                system review was found to be\n                     insufficient as the user population of the system is\n                     approximately 60,000 user accounts.\n   CG       CG-IT-   The procedures for the periodic review of          user         X\n            07-21    accounts does not require a review of all active user\n                     accounts and privileges to be performed and validated.\n   CG       CG-IT-   Password configuration weaknesses associated with                         CG-IT-\n            07-22    the       application. Also, the       application is                      08-22\n                     configured to terminate idle sessions after 30 minutes\n                     of inactivity instead of 20 minutes.\n\n\n                                                 102\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                          Appendix C\n\n                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2008\n                                                                                       Disposition\nComponent   NFR #                           Description                             Closed       Repeat\n   CG       CG-IT-   While audit logging has been turned on for the                             CG-IT-\n            07-23    database, reviews of actions being taken on that                            08-23\n                     database are still not being performed.\n   CG       CG-IT-   Policies and procedures regarding        data used for           X\n            07-24    the Coast Guard environmental liability report on the\n                     DHS Consolidated balance sheet have been developed\n                     but are currently in draft form and have not been\n                     implemented.\n   CG       CG-IT-   We noted the following            access control                           CG-IT-\n            07-25    weaknesses:                                                                 08-25\n                     x     Excessive access exists within the           database;\n                     x     Password configurations for the\n                                               and\n                           profiles have been configured to permit passwords\n                           to be a minimum of six characters in length.\n                           Additionally, the password history requirement is\n                           the only password requirement that has been\n                           configured for the              profile.\n                     x     Audit logging has not been enabled within the\n                                  application or database.\n                     x     Documented access request forms could not be\n                           located for nine out of 22 new        users granted\n                           access to the application. Additionally, although\n                           the automated access request forms for the other\n                           13 out of 22 new         users granted access to the\n                           application were approved, the level of\n                           access/privileges associated with the new user\n                           were not documented on the access request form.\n                     x     Individuals who are no longer employed with\n                                    were found to have active accounts\n                           within\n                     x            account reviews have not been performed\n                           on a periodic basis.\n   CG       CG-IT-   The       system has been configured to automatically            X\n            07-26    end date accounts that have been inactive for six\n                     months. However, DHS requirements require accounts\n                     to be disabled after 30 days of inactivity.\n   CG       CG-IT-   Accounts within        that have been inactive for more                    CG-IT-\n            07-27    than 90 days have not been disabled, access request                         08-27\n                     authorization forms were unavailable for 19 of the 30\n                     individuals who had accounts created during FY07, a\n                     recertification of     accounts is not performed, and\n                     terminated employees are not deactivated in a timely\n\n\n                                                 103\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                          Appendix C\n\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2008\n                                                                                      Disposition\nComponent   NFR #                          Description                             Closed       Repeat\n                     manner.\n   CG       CG-IT-   From the sample selected, a developer had elevated              X\n            07-28    production privileges in        Also, two\n                     procedures/packages (\n                                were added to\n                                      privileges.\n   CG       CG-IT-   The individual who enters an applicant's data into the      Transferred\n            07-29                           also has the ability to hire the      to Audit\n                     applicant in the system                                       Team.\n   CG       CG-IT-              functional change control policies and               X\n            07-30    procedures did not reflect the change control process\n                     for the             changes and did not adequately\n                     detail guidance for the change control process.\n                     Specifically, the policy does not include requirements\n                     for requesting, testing, and approving changes prior to\n                     implementing the functional change into the\n                     production environment.\n   CG       CG-IT-   Coast Guard has only eliminated a small number of the                     CG-IT-\n            07-31    scripts used on a consistent basis and is projecting that                  08-31\n                     this approach will continue into the delivery of\n                     4.2 and beyond. Additionally, we noted that as of\n                     April 27, 2007, 240 scripts were run during a week\n                     long period. The number and type of scripts that are\n                     executed during any one period in time varies from\n                     week to week depending on the issues encountered.\n                     Of the 240 scripts noted during this particular week,\n                     several were run numerous times for the same software\n                     gap. Consequently,             has not fully integrated\n                     the two change control processes or eliminated the\n                     need for the scripts.\n   CG       CG-IT-   Coast Guard does not maintain a centralized listing of                    CG-IT-\n            07-32    contracted personnel, including employment status,                         08-32\n                     such as start date and termination date, so that system\n                     accounts can be timely updated.\n   CG       CG-IT-   Coast Guard does not consistently notify system                           CG-IT-\n            07-33    owners that individuals are terminating from the Coast                     08-33\n                     Guard so that system accounts can be updated timely.\n   CG       CG-IT-            is not consistently implementing policies and                    CG-IT-\n            07-34    procedures regarding the        change control                             08-34\n                     process. Specifically, supporting documentation is not\n                     maintained for all changes and emergency changes.\n                     Additionally, changes may be approved prior to the\n                     change being tested and passing the test.\n   CG       CG-IT-   Policies and procedures for the overall change control                    CG-IT-\n            07-35    process surrounding                 changes and                            08-35\n\n\n                                               104\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                        Appendix C\n\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2008\n                                                                                     Disposition\nComponent   NFR #                          Description                            Closed       Repeat\n                     emergency changes are inadequate. Specifically, the\n                     policies and procedures do not fully include guidance\n                     for the roles and responsibilities         possesses in\n                     the change control process. Additionally, they do not\n                     include detailed requirements and guidance on\n                     requesting changes, initial approvals,          testing,\n                     final approvals and documentation retention\n                     requirements for changes made to the system.\n   CG       CG-IT-   Configuration management weaknesses exist on hosts                       CG-IT-\n            07-36    supporting the                    applications and                        08-36\n\n   CG       CG-IT-   Patch management weaknesses exist on hosts                               CG-IT-\n            07-37    supporting the                     applications and                       08-37\n\n   CG       CG-IT-             program changes are implemented in                   X\n            07-38    production prior to approval from the Financial\n                     Reports & Analysis (FF) Branch Chief or the Financial\n                     Control & Information (FC) Division Chief as required\n                     by          policy and procedures. Additionally,\n                     systems personnel move program changes into\n                     production without signing off on the Request Change\n                     to      Database form as required by the\n                     procedures.\n   CG       CG-IT-   Coast Guard has not completed the process of filing            X\n            07-39    the background investigation records that were\n                     recovered and recreating the records that were not\n                     found during the migration of records from the\n                     Department of Transportation to DHS.\n   CG       CG-IT-   Civilian background investigations and                                   CG-IT-\n            07-40    reinvestigations are not being performed in accordance                    08-40\n                     with DHS Minimum Background Investigation\n                     standards per the DHS Sensitive System Policy\n                     Directive 4300A.\n   CG       CG-IT-   Per review of the              package, we noted that                    CG-IT-\n            07-41    system boundary definitions do not fully reflect the                      08-41\n                     systems environment in which CG operates,             does\n                     not reflect system changes made in the\n                           de, and            is classified by CG as a\n                     subsystem of         however, there is no\n                     documentation within the              that defines\n                                 as a subsystem and addresses the\n                     appropriate security controls for             in this\n                     capacity according to NIST requirements for\n                     subsystems\n   CG       CG-IT-   Coast Guard is not compliant with the FFMIA from an                      CG-IT-\n            07-42    information technology perspective and in the                             08-42\n\n                                                105\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                          Appendix C\n\n                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2008\n                                                                                       Disposition\nComponent   NFR #                                Description                        Closed       Repeat\n                       following areas:\n                       x     Computer Security Act Requirements, including\n                             aspects of the Federal Information Security\n                             Management Act (FISMA)\n                       x     System Documentation\n                       x     Internal Controls\n                       x     Training and User Support\n                       x     System Maintenance\n                       x     System Information Flow\n\n  CONS       CONS-     The              application has not been configured           X\n            IT-07-01   to meet the following password requirements as\n                       defined by the DHS Sensitive System Policy Directive\n                       4300A:\n                       x     Contain special characters\n                       x     Not be the same as the previous 8 passwords\n                       x     Passwords shall not contain any proper noun or the\n                             name of any person, pet, child, or fictional\n                             character. Passwords shall not contain any\n                             employee serial number, Social Security number,\n                             birth date, phone number, or any information that\n                             could be readily guessed about the creator of the\n                             password\n                       x     Passwords shall not contain any simple pattern of\n                             letters or numbers, such as \xe2\x80\x9cqwerty\xe2\x80\x9d or \xe2\x80\x9cxyz123\xe2\x80\x9d\n                       x     Passwords shall not be any word, noun, or name\n                             spelled backwards or appended with a single digit\n                             or with a two-digit \xe2\x80\x9cyear\xe2\x80\x9d string, such as 98xyz123\n                       x     Passwords shall not be the same as the UserID\n                       Additionally, the             password configuration\n                       does not meet the following service provider\xe2\x80\x99s\n                       password requirements as outlined in the\n\n\n\n                       x     Passwords must not contain dictionary words\n                             pertaining to personnel data (e.g. user\xe2\x80\x99s name, date\n                             of birth, address, telephone number, and social\n                             security number)\n                       x     Passwords are not to be reused\n\n\n                                                     106\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                        Appendix C\n\n                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2008\n                                                                                     Disposition\nComponent   NFR #                             Description                         Closed       Repeat\n                       \xe2\x80\xa2     Passwords must be composed of upper/lower\n                             case and special characters\n  CONS       CONS-     DHS OFM has taken corrective action to address the           X\n            IT-07-02   Prior Year (PY) NFR and we noted that            Access\n                       Request Forms were appropriately completed for each\n                       new DHS user added to the system. However, in\n                       February 2007, a Treasury contractor, responsible for\n                       system development, created two user accounts within\n                                    to be used to test various functions in the\n                       new         release. These accounts were created\n                       without completing the           Access Request Form.\n                       Although we are unable to obtain evidence supporting\n                       the date the accounts were removed, we were able to\n                       confirm that the accounts had been removed by April\n                       16, 2007.\n  CONS       CONS-     DHS OFM has taken corrective action to address the           X\n            IT-07-03   PY NFR by removing all DHS OFM personnel from\n                       having access to the               role, which should\n                       be limited to one            developer only.\n                       However, DHS OFM did not take corrective action to\n                       address this NFR until August 2007, in which seven\n                       users with inappropriate access were removed.\n                       Although DHS OFM has addressed the\n                       recommendation in the prior year NFR CONS-IT-06-\n                       01, because the corrective action was not taken until 11\n                       months into the fiscal year, we determined that the\n                       NFR will be reissued in 2007.\n  CONS       CONS-     DHS OFM had taken corrective action to address the           X\n            IT-07-04   PY NFR. Specifically, 10 users had the\n                       role in April 2007. However, in August 2007, DHS\n                       OFM reduced the number of individuals with this\n                       access to only one, the Assistant Branch Chief of the\n                       Financial Reporting Branch (FRB).\n  CONS       CONS-     DHS OFM has taken corrective action to address the           X\n            IT-07-05   PY NFR in June 2007. Specifically, DHS OFM has\n                       developed and implemented procedures requiring DHS\n                       components to perform a formal review of\n                       financial data, by a separate approving official, to the\n                       general ledger before moving it into the\n                       repository. Additionally, the procedures require each\n                       DHS component to complete a CFO Certification\n                       Form for each         submission. The CFO\n                       Certification Form includes a sign-off from the\n                       component that the financial data review was\n                       performed. We inspected the CFO Certification Forms\n                       for each DHS component for June and July 2007 and\n\n\n                                                 107\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                          Appendix C\n\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2008\n                                                                                       Disposition\nComponent   NFR #                             Description                           Closed       Repeat\n                       noted no exceptions.\n                       We determined that DHS OFM has taken appropriate\n                       action to remediate prior year NFR CONS-IT-06-05.\n                       However, because corrective action was not taken to\n                       address the NFR until eight months into the fiscal year,\n                       the NFR will be reissued in FY 2007.\n  CONS       CONS-     DHS OFM has taken partial corrective action to                 X\n            IT-07-06   address the prior year NFR. Specifically, the\n                       system has been configured to lock accounts that have\n                       not been logged into in 90 days; however, DHS\n                       guidance was revised and released during FY 2007\n                       which requires systems be configured to disable user\n                       accounts after 30 days of inactivity. However, DHS\n                       OFM has applied for and received an exception to the\n                       30 day requirement with the DHS Chief Information\n                       Security Officer (CISO) and has instead configured the\n                       system to lock accounts after 90 days of inactivity due\n                       to a business needs.\n                       The         assword configuration has not been\n                       configured to meet all of the password requirements as\n                       defined by the DHS Sensitive System Policy Directive\n                       4300A.\n                       The         assword configuration does not meet the\n                       service provider\xe2\x80\x99s password requirements as outlined\n                       in the                     or the Treasury Information\n                       Technology Security Program Handbook.\n  CONS       CONS-     Treasury has not established individual accountability                   CONS-\n            IT-07-07   within the        database. Specifically, two                              IT-\n                       utilize one generic accoun                 , to perform                   08-07\n                       maintenance on the           database that supports the\n                              application. Additionally, these two          also\n                       share the following          accounts:                   ,\n                       and                    is the owner of the database and\n                       has access to the entire database while             and\n                                   are default system accounts that are used for\n                       various oracle system functions such as backups and\n                       configuration management and are required to operate\n                       and run batch jobs.\n  CONS       CONS-     Not Used.\n            IT-07-08\n  CONS       CONS-     During FY 2007, we noted that access to the                    X\n            IT-07-09   module and the                             group\n                       appears to be excessive. Specifically, up until the last\n                       week of FY 2007, six individuals had such access\n                       which allows them to perform account management\n                       capabilities within      (such as creating, deleting,\n\n\n                                                  108\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                           Appendix C\n\n                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2008\n                                                                                       Disposition\nComponent   NFR #                            Description                            Closed       Repeat\n                       and modifyin               user accounts). Two of\n                       these six individuals were Treasury personnel who\n                       should not be able to modify user accounts belonging\n                       to DHS. Additionally, we inspected a log of all DHS\n                             accounts created between October 1, 2006 and\n                       May 11, 2007 and noted that one DHS OFM personnel\n                       was responsible for creating the accounts.\n\n                       During the last week of FY 2007, one DHS OFM\n                       personnel and one Treasury contractor had their\n                       module access revoked. However, we still determined\n                       access to be excessive as four individuals (three DHS\n                       OFM personnel and one Treasury contractor) still have\n                       access to the       module and the\n                                                   group and the\n                       only notes the                            to be\n                       responsible for\n                       creating/modifying/deleting accounts within\n\n  CONS       CONS-     During our FY 2007 follow-up testing, we identified        Transferred\n            IT-07-10   exceptions upon comparing the        Specifications         to Audit\n                       Table and its congruency with the analytics guidance         Team.\n                       documented in the Component Guide.\n  CONS       CONS-     DHS OFM has developed change control procedures                          CONS-\n            IT-07-11   that document DHS OFM\xe2\x80\x99s change management                                  IT-\n                       responsibilities. However, these procedures were not                      08-11\n                       implemented until June 29, 2007. As a result:\n                       x     Formal change requests were not available for our\n                             review for        changes implemented into\n                             production this fiscal year.\n                       x     Documentation supporting five           changes\n                             selected for testing was not available for our\n                             review. Specifically, out of five changes selected\n                             for testing, we were missing the following\n                             documentation:\n                             x   Evidence of Development, Testing and\n                                 Production     were not available for four of\n                                 five changes.\n                             x   Evidence of DHS approval for five of five\n                                 changes was not available for our review.\n                             x   Evidence of Treasury testing was not available\n                                 for one of five     selected for testing.\n                             x   Two of five changes selected for testing were\n                                 not approved by the Department of the Chief\n\n\n                                                  109\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                          Appendix C\n\n                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2008\n                                                                                       Disposition\nComponent   NFR #                            Description                            Closed       Repeat\n                                 Financial Officer Team Lead, as required.\n                             x   Four of five       selected for testing were\n                                 missing the                      therefore, we\n                                 were unable to determine that the individual\n                                 responsible for development was not the same\n                                 person who migrated the change to\n                                 production.\n                             x   The change management procedures\n                                 documented\n                                 in the DHS             do not include\n                                 procedures for notifying components of\n                                 system changes so that they are aware of\n                                 changes to the functionality of the system, etc.\n                             x    The change management procedures\n                                 documented in the DHS             do not\n                                 include procedures for handing emergency\n                                 changes to the system.\n  CONS       CONS-     Weakness were identified surrounding the                                 CONS-\n            IT-07-12   change control process:                                                    IT-\n                                                                                                 08-12\n                       x     DHS OFM has developed change control\n                             procedures that document DHS OFM\xe2\x80\x99s change\n                             management responsibilities. However, these\n                             procedures were not implemented until June 29,\n                             2007. As a result:\n                             x   Formal change requests were not available for\n                                 our review for            changes\n                                 implemented into production this fiscal year.\n                             x   The                change control process is\n                                 informal. Therefore, the only documentation\n                                 we received supporting the five changes\n                                 selected for testing was e-mail documentation\n                                 sent between DHS OFM and Treasury\n                                 (requests for the change and notification that\n                                 the change was complete). No evidence of\n                                 approvals or testing was available for our\n                                 review.\n                             x   The change management procedures\n                                 documented in the DHS OFM            do not\n                                 include procedures for notifying components\n                                 of system changes so that they are aware of\n                                 changes to the functionality of the system, etc.\n                             x   The change management procedures\n                                 documented in the DHS OFM         do not\n                                 include procedures for handing emergency\n\n                                                   110\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                           Appendix C\n\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2008\n                                                                                        Disposition\nComponent   NFR #                            Description                             Closed       Repeat\n                                changes to the system.\n\n FEMA        FEMA-     During our technical testing, patch management                  X\n            IT-07-01   weaknesses were identified on                  and\n                               systems.\n FEMA        FEMA-     During our technical testing, configuration                               FEMA-\n            IT-07-02   management weaknesses were identified on                                 IT-08-02\n\n FEMA        FEMA-     We determined that the Financial Services Branch                          FEMA-\n            IT-07-03   (FSB) has created procedures to review              user                 IT-08-03\n                       access on a semi-annual basis for appropriateness of\n                       access privileges granted to employees or contractors\n                       within their organization. Additionally, we noted that\n                       a recertification of all         users, which is also their\n                       semi-annual review of user access, began in June 2007.\n                       Currently, FSB is in the process of validating\n                       access for users who responded to FSB\xe2\x80\x99s\n                       recertification request. In addition, FSB is locking out\n                       the         users who did not respond. We determined\n                       that the recertification of all existing        users has\n                       not been completed for FY 2007.\n FEMA        FEMA-     The FEMA alternate processing site located in                   X\n            IT-07-04        is not operational for         FEMA is in the\n                       process of setting up a                                 to\n                       replicate data from the          production server at .\n                                  and send it to the        servers in       ,\n                           . Currently the           not complete and therefore,\n                       the          facility does not have the capability of\n                       functioning as the alternate processing site for\n                       if a disaster were to occur.\n FEMA        FEMA-     The           Security Test & Evaluation (ST&E) did not         X\n            IT-07-05   provide adequate documentation of the results to the\n                       accrediting authority and that the prior year weakness\n                       still exists.\n FEMA        FEMA-     There is not formal, documented procedures are in                         FEMA-\n            IT-07-06   place to require updates to the        system                            IT-08-06\n                       documentation as          functions are added, deleted,\n                       or modified.\n FEMA        FEMA-     We determined that FEMA has identified the                      X\n            IT-07-07           as the alternate processing facility for\n                                 ; however, it will not be fully operational until\n                       September 2007. Therefore, we determined that the\n                                contingency plan has not undergone a full-scale\n                       test to show that the system can be brought back to an\n                       operational state at the designated alternate site.\n\n\n                                                  111\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                         Appendix C\n\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2008\n                                                                                      Disposition\nComponent    NFR #                           Description                           Closed       Repeat\n  FEMA       FEMA-     We determined that the FEMA              has not been         X\n            IT-07-08   updated to include the new listing of FEMA mission\n                       critical IT systems as outlined in the Information\n                       Technology Services Directorate (ITSD)\n                       Implementation Plan.\n FEMA        FEMA-     We noted that FEMA has begun to standardize all user          X\n            IT-07-09   workstations to                           with\n                               installed, which would ensure that all\n                                  settings are properly applied to all users.\n                       Currently, FEMA is upgrading older user workstations\n                       to                          or providing users with new\n                       workstations. However, we noted that this process will\n                       not be fully complete until January 2008. This\n                       weakness impacts\n                       We noted that FEMA users are locked out of the\n                       system at the domain level after three (3) consecutive\n                       failed login attempts; however, the user account\n                       becomes unlocked and active again after five (5)\n                       minutes of inactivity.\n FEMA        FEMA-     We determined that FEMA has begun to standardize              X\n            IT-07-10   all user workstations to\n                                        installed, which would ensure that all\n                                          settings are properly applied to all\n                       users. Currently, FEMA is upgrading older user\n                       workstations to                            or providing\n                       users with new workstations. However, we noted that\n                       this process is not fully completed, and FEMA has\n                       estimated this process will not be completed until\n                       January 2008.\n FEMA        FEMA-     We noted that passwords for the           application can     X\n            IT-07-11   be re-used after six (6) iterations which is not in\n                       compliance with the DHS Sensitive System Policy\n                       Directive 4300A.\n FEMA        FEMA-     We determined that the FEMA Chief Information                           FEMA-\n            IT-07-12   Officer (CIO) provided procedures to all Office                        IT-08-12\n                       Directors, Regional Directors and FEMA Coordinating\n                       Officers for the periodic review of all          accounts\n                       and position assignments on June 28, 2007. We noted\n                       that detailed procedures are listed for the review of\n                                accounts; however, the procedures do not state\n                       the frequency of this review.\n                       We noted that this review began on June 29, 2007 with\n                       a deadline of July 26, 2007 for accepting responses\n                       from users recertifying their        accounts.\n                       Therefore, risk of unauthorized users accessing\n                               was present for a majority of the fiscal year.\n\n\n                                                 112\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                         Appendix C\n\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2008\n                                                                                      Disposition\nComponent    NFR #                             Description                         Closed       Repeat\n  FEMA       FEMA-     We determined that the FSB has created procedures to                     FEMA-\n            IT-07-13   review           user access on a semi-annual basis for                 IT-08-13\n                       appropriateness of access privileges granted to\n                       employees or contractors within their organization.\n                       Additionally, we noted that a recertification of all\n                                users was performed in June 2007. Currently,\n                             is in the process of validating          access for\n                       the users who responded to            recertification\n                       request and locking out the           users who did not\n                       respond. We determined that the recertification of all\n                       existing          users is not yet complete for FY 2007.\n                       We determined that the FEMA CIO provided\n                       procedures to all Office Directors, Regional Directors\n                       and FEMA Coordinating Officers for the periodic\n                       review of all         accounts and position\n                       assignments on June 28, 2007. However, the\n                       procedures do not state the frequency of this review.\n                       Furthermore, we noted that this review began on June\n                       29, 2007 with a deadline of July 26, 2007 for accepting\n                       responses from users recertifying their\n                       accounts. Therefore, the risk of unauthorized users\n                       accessing          was present for a majority of the\n                       fiscal year.\n                       We noted that twenty-seven (27) terminated or\n                       separated FEMA employees and contractors maintain\n                       active       user accounts.\n                       We noted that seven hundred seventy (770) terminated\n                       or separated FEMA employees and contractors\n                       maintain active        user accounts.\n FEMA        FEMA-     We determined that IT Operations has created backup           X\n            IT-07-14   procedures entitled, Backup Media Protection and\n                       Control, for         and          dated July 27, 2007.\n                       However, we noted that the procedures were finalized\n                       on July 27, 2007, and that the risk was present for a\n                       majority of the fiscal year.\n                       We noted that both                       backup tapes\n                       are not rotated off-site to the\n                       We noted that the FEMA alternate processing site\n                       located in                 is not operational for\n                       We also noted that the           back-up facility has\n                       redundant servers in place for the\n                       Database in June 2007. Therefore, the risk was present\n                       for a majority of the fiscal year.\n FEMA        FEMA-     We determined that FEMA created the                           X\n            IT-07-15   Configuration Management Plan, Version 0.1, dated\n                       June 29, 2007. We noted that this plan was in draft\n\n                                                   113\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                         Appendix C\n\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2008\n                                                                                      Disposition\nComponent   NFR #                            Description                           Closed       Repeat\n                       form and that it does not fully identify the\n                       configuration management process of\n                       We determined that FEMA created the Supplemental\n                       Security Policy to the DHS Sensitive System Policy\n                       Directive 4300A, which details policies for restricting\n                       access to the system software of FEMA IT systems.\n                       However, we noted that the draft policy is dated June\n                       14, 2007.\n                       We noted that procedures over restricting access to\n                                system software entitled, Database\n                       Administration Access Procedures and                patch\n                       management procedures were approved on June 29,\n                       2007. However, we noted that the risk was present for\n                       a majority of the fiscal year, and as a result, the NFR\n                       will be re-issued for FY 2007.\n FEMA        FEMA-     FEMA created the Supplemental Security Policy to              X\n            IT-07-16   match the DHS Sensitive System Policy Directive\n                       4300A, which details policies for restricting access to\n                       system software. However, we noted that the policy is\n                       in draft and dated June 14, 2007.\n                       FEMA has not documented procedures for restricting\n                       access to     system software.\n FEMA        FEMA-     We determined that FEMA created a System Change                         FEMA-\n            IT-07-17   Request        for         However, the System                         IT-08-17\n                       Change Request         was approved by the OCFO on\n                       June 29, 2007. Furthermore, we noted the evidence\n                       that the            account was locked within the\n                               environment on July 24, 2007. Therefore, we\n                       noted that the risk was present for a majority of the\n                       fiscal year.\n FEMA        FEMA-     FEMA created the Supplemental Security Policy to              X\n            IT-07-18   match the DHS Sensitive System Policy Directive\n                       4300A detailed policies for investigating and reporting\n                       any suspicious activity detected when reviewing audit\n                       logs. However, we noted that the policy is dated June\n                       14, 2007 and is in draft form.\n                       FEMA has not documented specific procedures to\n                       review suspicious system software activity and access\n                       controls for\n FEMA        FEMA-     FEMA created the Supplemental Security Policy to                        FEMA-\n            IT-07-19   match the DHS Sensitive System Policy Directive                        IT-08-19\n                       4300A detailed policies for monitoring sensitive access\n                       and investigating and reporting any suspicious activity\n                       detected when reviewing audit logs. However, we\n                       noted that the policy is dated June 14, 2007 and is in\n\n\n                                                  114\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                        Appendix C\n\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2008\n                                                                                     Disposition\nComponent   NFR #                           Description                           Closed       Repeat\n                       draft form.\n                       FEMA has not documented procedures to monitor and\n                       review sensitive access, system software utilities and\n                       suspicious system software and access activities for\n\n FEMA        FEMA-     FEMA has adopted the DHS                             for     X\n            IT-07-20            This policy establishes required practices for\n                       managing DHS IT systems and infrastructure solutions\n                       through a progression of activities for initiation,\n                       planning, development, testing, implementation,\n                       operation, maintenance, and retirement. However, we\n                       noted that the policy is dated January 27, 2006 and is\n                       in draft form.\n FEMA        FEMA-     FEMA has adopted the DHS                            for      X\n            IT-07-21             This policy establishes required practices for\n                       managing DHS IT systems and infrastructure solutions\n                       through a progression of activities for initiation,\n                       planning, development, testing, implementation,\n                       operation, maintenance, and retirement. However, we\n                       noted that the policy is dated January 27, 2006 and is\n                       in draft form.\n FEMA        FEMA-     FEMA did not have an operational alternate processing                  FEMA-\n            IT-07-22   site for        for a majority of the fiscal year. We                 IT-08-22\n                       determined that the alternate processing site in      ,\n                              has redundant servers in place for the\n                                        effective as of June 2007.\n FEMA        FEMA-             lacks         backup testing procedures.                       FEMA-\n            IT-07-23   Additionally, we determined that the         backups                  IT-08-23\n                       are not periodically tested.\n FEMA        FEMA-             lacks          backup testing procedures.                      FEMA-\n            IT-07-24   Additionally, we determined that the          backups                 IT-08-24\n                       are not periodically tested.\n FEMA        FEMA-     We noted that the         contingency plan has not                     FEMA-\n            IT-07-25   been tested on an annual basis, per the DHS Sensitive                 IT-08-25\n                       System Policy Directive 4300A.\n FEMA        FEMA-     During our review of user access rights for the              X\n            IT-07-26   approval of         system change requests, we noted\n                       that excessive access rights existed. Specifically, we\n                       determined that three (3) people were authorized to\n                       approve         system change requests, however, one\n                       (1) individual was transferred to another DHS agency.\n                       Therefore, this person\xe2\x80\x99s job responsibilities no longer\n                       required this access nor is this individual a current\n                       FEMA employee.\n                       Upon notification of this issue, FEMA took corrective\n\n                                                 115\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                         Appendix C\n\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2008\n                                                                                      Disposition\nComponent   NFR #                          Description                             Closed       Repeat\n                       action and removed the individual\xe2\x80\x99s access rights.\n FEMA        FEMA-     We noted that testing documentation for                       X\n            IT-07-27   application level changes are not consistently\n                       documented or performed timely.\n FEMA        FEMA-     Per the DHS Sensitive System Policy Directive 4300A,                    FEMA-\n            IT-07-28   all changes to major applications must be formally                     IT-08-28\n                       approved, tested and documented prior to the change\n                       being implemented. For the test of this control we\n                       selected a sample of nine (9)        application level\n                       changes. We noted that one (1) out of the sample did\n                       not have testing performed.\n FEMA        FEMA-     We noted that the         approvals for                                 FEMA-\n            IT-07-29   application level emergency changes are not                            IT-08-29\n                       consistently documented. Specifically, we determined\n                       that five (5) out of a sample of eight (8)\n                       application level emergency changes did not gain\n                       approval.\n FEMA        FEMA-     We determined that excessive access is designed to be         X\n            IT-07-30   permitted within         to make offline changes to the\n                       general ledger account tables via the\n\n                       Group. We identified six (6) users in the\n                       group that have the ability to make offline changes to\n                       the general ledger account tables, which are not within\n                       their job responsibilities.\n FEMA        FEMA-                does not timeout after a period of inactivity.     X\n            IT-07-31   Additionally, we determined that all\n                       workstations use a password protected screensaver\n                       after fifteen (15) minutes of inactivity, which is not in\n                       compliance with the DHS Sensitive System Policy\n                       Directive 4300A.\n                                access is not reviewed on a periodic basis to\n                       determine if access is valid and commensurate with job\n                       responsibilities.\n FEMA        FEMA-     While a standard form has been developed for                  X\n            IT-07-32   documenting           change requests,\n                       change management procedures have not been\n                       documented.\n                       System software change management procedures have\n                       not been developed or implemented. Additionally,\n                       installation of the operating system upgrade in FY\n                       2007 was not formally documented or approved.\n FEMA        FEMA-         has made improvements in the area of                      X\n            IT-07-33   Administrator account management. However, we\n\n\n                                                  116\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                        Appendix C\n\n                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2008\n                                                                                     Disposition\nComponent   NFR #                            Description                          Closed       Repeat\n                       noted that system activity logs are not being reviewed.\n FEMA        FEMA-           has updated the                   baseline             X\n            IT-07-34   configuration document. However, we noted that\n                       procedures have not been developed which require\n                       approvals prior to implementation. Additionally, of 30\n                       changes selected, 14 changes did not have documented\n                       Operations Service Request (OSR) forms or\n                       documented approvals.\n FEMA        FEMA-     A system programmer                         had write        X\n            IT-07-35   access to the                       and\n                                          datasets of the           production\n                       member.          removed the system programmer\xe2\x80\x99s\n                       access shortly after this finding was identified.\n FEMA        FEMA-     Access to the                                     excel      X\n            IT-07-36   files is excessive. Specifically, we identified that\n                       modify and write access permissions to the excel files\n                       are inappropriate for five individuals of the Bureau of\n                       Finance and Statistical Control group.\n FEMA        FEMA-     We noted there is excessive access to                        X\n            IT-07-37   application software and support files. Specifically,\n                       we noted that all individuals within the Bureau of\n                       Finance and Statistical Control group have modify and\n                       write access to the           application software and\n                       support files.\n FEMA        FEMA-           has not documented incompatible duties within                    FEMA-\n            IT-07-38            , developed policy and procedures regarding                  IT-08-38\n                       segregation of duties, or implemented segregation of\n                       duties controls within          . All users of\n                       have full application level access.\n FEMA        FEMA-     The             contingency plan has not been tested. As               FEMA-\n            IT-07-39   a result, the system fail-over capability for the                     IT-08-39\n                       alternate processing site has not been tested.\n                       The                                         does not\n                       identify the following:\n                       x     The                      alternate processing\n                             facility; and\n                       x            critical data files are not documented.\n FEMA        FEMA-     The ROB forms are not consistently signed prior to           X\n            IT-07-40   users gaining access to the       Bureau\n                       Specifically, we determined that three (3) out of a\n                       sample of twelve (12) new         Bureau        users\n                       did not sign the      prior to obtaining       Bureau\n                             access.\n\n\n                                                   117\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                          Appendix C\n\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2008\n                                                                                       Disposition\nComponent    NFR #                          Description                             Closed       Repeat\n  FEMA       FEMA-     We determined that policies and procedures over                X\n            IT-07-41   periodic review of            access lists have been\n                       documented. However, we noted that the periodic\n                       review determining if logical user access is valid and\n                       consistent with job responsibilities is not effective as\n                       an instance of excessive system developer access was\n                       identified within\n FEMA        FEMA-     We determined that periodic review policies and                X\n            IT-07-42   procedures have not been developed for access to the\n                             Bureau              As a result, we noted that\n                       there are two (2) employees with excessive access to\n                       the       Bureau      room.\n FEMA        FEMA-     The                      has been configured to permit         X\n            IT-07-43   users to reuse prior passwords after five (5) iterations\n                       which is not in compliance with the DHS Sensitive\n                       System Policy Directive 4300A.\n FEMA        FEMA-     We noted that proactive vulnerability scanning is not          X\n            IT-07-44   performed over           backend database or the\n                       Bureau\n\n FLETC      FLETC-     The Change Control and Configuration Management                         FLETC-\n            IT-07-01        for all preventative maintenance and patch                           IT-\n                       management over                is currently in draft                     08-01\n                       form. Additionally, the Change Control and\n                       Configuration Management          does not detail testing\n                       procedures.\n                       Documented policies and procedures for\n                       bug fixes and enhancements do not exist, including a\n                       description for the emergency change process.\n                       The access group, \xe2\x80\x9c                    \xe2\x80\x9d has modify,\n                       read, execute, and write access to the\n                       application program libraries. We determined that this\n                       gives all FLETC domain level users modify, read,\n                       execute, and write access to the            application\n                       program libraries.\n FLETC      FLETC-     The Change Control and Configuration Management                         FLETC-\n            IT-07-02         for all preventative maintenance and patch                          IT-\n                       management over                           is currently in                08-02\n                       draft form. Additionally, the Change Control and\n                       Configuration Management           does not detail testing\n                       procedures.\n                       Documented policies and procedures for\n                                bug fixes and enhancements do not exist,\n                       including a description for the emergency change\n                       process.\n\n\n                                                  118\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                           Appendix C\n\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2008\n                                                                                        Disposition\nComponent   NFR #                           Description                              Closed       Repeat\n                       All FLETC domain level users inappropriately have\n                       modify, read, execute, and write access to the\n                                             support files.\n FLETC      FLETC-     The installation of           system software is not                     FLETC-\n            IT-07-03   currently logged or reviewed by FLETC management.                          IT-\n                                                                                                 08-03\n FLETC      FLETC-     The SDLC for                is currently in draft form.                  FLETC-\n            IT-07-04                                                                              IT-\n                                                                                                 08-04\n FLETC      FLETC-                  server level and                  backups                   FLETC-\n            IT-07-05   are not periodically tested.                                               IT-\n                                                                                                 08-05\n                       Procedures or a testing schedule are not in place for\n                                  server level and         database backups.\n FLETC      FLETC-     The             contingency plan has not been fully                      FLETC-\n            IT-07-06   tested. We determine that the recovery and resumption                      IT-\n                       procedures were not tested during the table-top test of                   08-06\n                       the            contingency plan.\n FLETC      FLETC-     FLETC Computer Security Operations Center and                            FLETC-\n            IT-07-07   Computer Security Incident Response Capability            ,                IT-\n                       is currently in draft form.                                               08-07\n                       We noted that incidents are not tracked from inception\n                       to resolution in an incident response management\n                       system.\n FLETC      FLETC-     We noted that incompatible duties over                                   FLETC-\n            IT-07-08           have not been identified nor have policies and                     IT-\n                       procedures been developed to segregate incompatible                       08-08\n                       duties.\n FLETC      FLETC-     We determined that FLETC has documented                                  FLETC-\n            IT-07-09   procedures entitled, \xe2\x80\x9c              Access Standard                      IT-08-09\n                       Operating Procedures\xe2\x80\x9d, which are currently in draft\n                       form.\n                       All personnel on the                   access listing and\n                       regular visitors to the                 will have fire\n                       suppression training provided. However, FLETC\n                       failed to provide the fire suppression training materials\n                       or a listing of individuals who attended the training.\n FLETC      FLETC-     Procedures over access authorizations and the periodic                   FLETC-\n            IT-07-10   review of user accounts for                       do                       IT-\n                       not exist.                                                                08-10\n                       FLETC Manual (FM) 4300: Information Technology\n                       System Security Program and Policy establishes the\n                       policies to be followed when an employee or\n                       contractor is separated or terminated, which is\n                       currently in draft form.\n\n\n                                                  119\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                       Appendix C\n\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2008\n                                                                                    Disposition\nComponent   NFR #                          Description                           Closed       Repeat\n                       We found that termination       for            and\n                                            are currently under development.\n                                              does not require passwords to\n                       contain a combination of upper and lower case letters\n                       and special characters.\n FLETC      FLETC-     We determined that the FLETC Directive (FD) 43220:                   FLETC-\n            IT-07-11   IT System Security Awareness and Training is in draft                  IT-\n                       form.                                                                 08-11\n FLETC      FLETC-     We determined that FLETC has developed policies and                  FLETC-\n            IT-07-12   procedures over the authorization and use of mobile                    IT-\n                       code technologies in \xe2\x80\x9cFM 4300: Information                            08-12\n                       Technology System Security Program and Policy.\xe2\x80\x9d\n                       However, we noted that this policy is in draft form.\n FLETC      FLETC-     We determined that FLETC has developed policies and                  FLETC-\n            IT-07-13   procedures to proactively monitor sensitive access to                  IT-\n                       system software utilities for            in the \xe2\x80\x9cFM                   08-13\n                       4300: Information Technology System Security\n                       Program and Policy.\xe2\x80\x9d However, we noted that this\n                       policy is in draft form.\n FLETC      FLETC-     We determined that FLETC has developed policies for                  FLETC-\n            IT-07-14   restricting access to        system software in the                    IT-\n                       \xe2\x80\x9cFM 4300: Information Technology System Security                      08-14\n                       Program and Policy.\xe2\x80\x9d However, we noted that this\n                       policy is in draft form.\n                       We noted that FLETC has developed procedures for\n                       restricting access to privileged and sensitive access\n                       including               system software in the\n                                                , which is currently in draft\n                       form.\n FLETC      FLETC-     We noted that FLETC has developed policies for the                   FLETC-\n            IT-07-15   segregation of duties in the, \xe2\x80\x9cFM 4300: Information                    IT-\n                       Technology System Security Program and Policy.\xe2\x80\x9d                       08-15\n                       However, we noted that the policy is currently in draft\n                       form.\n                       We noted that FLETC has developed procedures for\n                       the segregation of duties in the, \xe2\x80\x9cLogical Access\n                       Controls        \xe2\x80\x9d, which is currently in draft form.\n FLETC      FLETC-     We noted that FLETC has developed polices for the                    FLETC-\n            IT-07-16   use of                  , \xe2\x80\x9cFM 4300: Information                        IT-\n                       Technology System Security Program and Policy.\xe2\x80\x9d                       08-16\n                       However, we noted that the     is currently in draft\n                       form.\n                       The      hardening guide and          are currently in\n                       development and not finalized.\n\n\n                                                 120\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                         Appendix C\n\n                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2008\n                                                                                      Disposition\nComponent   NFR #                           Description                            Closed       Repeat\n                       We determined that FLETC has not completed a\n                       security assessment of the         site\xe2\x80\x99s\n                       installation.\n FLETC      FLETC-     We sampled thirty (30) IT contractors for evidence of                  FLETC-\n            IT-07-17   background investigations and noted the following:                     IT-08-17\n                       x     Nine (9) IT contractors did not have evidence that\n                             a background investigation was initiated or\n                             completed; and\n                       x     For twelve (12) IT contractors, we were not able to\n                             validate if background investigations were\n                             initiated or adjudicated, due to a lack of\n                             documentation or poor documentation of\n                             background investigations initiated.\n FLETC      FLETC-     We determined that FLETC has developed polices for                     FLETC-\n            IT-07-18   the review of                      audit logs in the,                  IT-08-18\n                       \xe2\x80\x9cFM 4300: Information Technology System Security\n                       Program and Policy.\xe2\x80\x9d However, we noted that the\n                       policy is currently in draft form.\n                       Procedures around the detailed review of audit records\n                       do not exist.\n                       Audit logs are not maintained for\n                                on an application level.\n FLETC      FLETC-     We noted that                has been configured to           X\n            IT-07-19   permit users to reuse prior passwords after three (3)\n                       iterations which is not in compliance with the DHS\n                       Sensitive System Policy Directive 4300A. Upon\n                       notification of this issue, FLETC took corrective action\n                       and               is now configured to permit users to\n                       reuse prior passwords after eight (8) iterations.\n FLETC      FLETC-     We noted that the                is configured to trigger              FLETC-\n            IT-07-20   a domain level password protected screensaver after                    IT-08-20\n                       twenty (20) minutes of inactivity on user workstations,\n                       which is not in compliance with the DHS Sensitive\n                       System Policy Directive 4300A.\n FLETC      FLETC-     We noted that FM 4300: Information Technology                          FLETC-\n            IT-07-21   System Security Program and Policy documents                           IT-08-21\n                       policies for the following areas:\n                       x     Use of cryptographic tools over the FLETC\n                       x     Use of wireless technologies; and\n                       x     Data sharing with external parties outside of\n                             FLETC.\n                       However, we noted that the policy is currently in draft\n\n                                                   121\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                           Appendix C\n\n                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2008\n                                                                                        Disposition\nComponent   NFR #                             Description                            Closed       Repeat\n                       form.\n FLETC      FLETC-     The following                              access control                FLETC-\n            IT-07-22   weaknesses were identified:                                              IT-08-22\n                       x     User access violation information is not\n                             maintained on an application level;\n                       x     All new users (a total of eight) requesting access to\n                                                    failed to have an authorized\n                             access request form.\n                       x     Password parameters have been configured to\n                             permit users to reuse prior passwords after six (6)\n                             iterations; and\n                       x     The                        Administrator is not\n                             informed of separated employees via Human\n                             Resources (HR), thus, terminated employees\n                             access is not removed in a timely manner.\n                       Upon notification of this issue, FLETC took corrective\n                       action and the                       Administrator is\n                       now on the listing of individuals who are informed\n                       when an employee is separated.\n FLETC      FLETC-     The following                              access control                FLETC-\n            IT-07-23   weaknesses were identified:                                                IT-\n                                                                                                 08-23\n                       x     Lack of documented procedures in to recertify\n                             users logical access on a yearly basis; and\n                       x     Recertification of                         users is\n                             not performed over all users.\n FLETC      FLETC-     We noted that copies of the                                              FLETC-\n            IT-07-24             Contingency Plan are not securely stored off-                    IT-\n                       site at the alternate processing facility.                                07-24\n FLETC      FLETC-     The following                                                            FLETC-\n            IT-07-25   service continuity weaknesses were identified:                             IT-\n                                                                                                 08-25\n                       x     FLETC SOP - Anti-Virus Software for Servers is\n                             not finalized; and\n                       x     FLETC SOP - System Maintenance Policy and\n                             Procedures is not finalized.\n FLETC      FLETC-     During technical testing, configuration management                       FLETC-\n            IT-07-26   weaknesses were identified on hosts and databases                          IT-\n                       supporting the                                                            08-26\n                       and                        applications.\n FLETC      FLETC-     During technical testing, patch management                               FLETC-\n            IT-07-27   weaknesses were identified on hosts and databases                        IT-08-27\n\n\n                                                   122\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                            Appendix C\n\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2008\n                                                                                         Disposition\nComponent   NFR #                             Description                             Closed       Repeat\n                       supporting the                          and\n                                            application. The fact that these\n                       vendor supplied patches have not been applied in a\n                       timely manner could allow a remote attacker to gain\n                       unauthorized access on the host or database.\n FLETC      FLETC-     We noted that                                                    X\n            IT-07-28   server backup tape rotation logs are not consistently\n                       maintained.\n FLETC      FLETC-     We noted that                      server level and                       FLETC-\n            IT-07-29         database backups are not periodically tested.                         IT-\n                                                                                                  08-29\n                       We noted that procedures or a testing schedule are not\n                       in place for                      server level and\n                              database backups.\n\n  TSA       TSA-IT-    The disaster recovery aspect of the             will be                   TSA-IT-\n             07-01     completed by September 30, 2007 with the business                          08-01\n                       continuity and continuity of government aspects of the\n                               not being completed until December 2007.\n                       Because the           is in draft form, it has not yet been\n                       tested; however,              plans to test the entire\n                               prior to it being implemented. Lastly, the\n                                 has drafted a memorandum of understanding\n                       (MOU) with the                                         for\n                       reciprocal services; however, the MOU is currently in\n                       draft form.\n  TSA       TSA-IT-               is in the process of developing of a                  X\n             07-02     Continuity of Operations Plan              which addresses\n                       disaster recovery, business continuity and continuity of\n                       government for                  The disaster recovery\n                       aspect of the           will be completed by September\n                       30, 2007 with the business continuity and continuity of\n                       government aspects of the             not being completed\n                       until December 2007. Because the                 is in draft\n                       form, it has not yet been tested; however,\n                       plans to test the entire          prior to it being\n                       implemented. Lastly, the                 has drafted a MOU\n                       with the         for reciprocal services; however, the\n                       MOU is currently in draft form.\n  TSA       TSA-IT-    The contract that CG HQ has with the             and                      TSA-IT-\n             07-03                software vendor does not include security                       08-03\n                       configuration requirements that must be adhered to\n                       during the configuration management process.\n                       Consequently,                            builds and\n                       maintenance packs may not be configured and\n                       implemented with comprehensive security\n                       configuration requirements. CG recognizes the\n\n\n                                                   123\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                         Appendix C\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2008\n                                                                                      Disposition\nComponent   NFR #                           Description                            Closed       Repeat\n                      absence of security requirements and indicated that the\n                      contract with the vendor will be reassessed in 2008\n                      during the contract renewal process with CG HQ and\n                      corrective actions will be taken at that time.\n  TSA       TSA-IT-   19 individuals, specified below, had 24 hour a day             X\n             07-04    access to the data center and had not yet completed the\n                      training:\n                      13 individuals (building owners, property managers\n                      and their respective contractors)\n                      4 members of             Senior Management\n                      2 security guards\n                      Lastly, we identified four employees, each with 24\n                      hour access to the data center that had not yet\n                      completed the training as of July 2007. Upon\n                      notifying           of this exception, the four\n                      individuals completed the training and\n                      provided supporting evidence.\n  TSA       TSA-IT-   No formal procedures have been developed or                             TSA-IT-\n             07-05    implemented by Coast Guard Headquarters to address                       08-05\n                      DHS requirements surrounding the suitability\n                      screening of contractors accessing DHS IT systems.\n                      DHS directives and policies require Coast Guard and\n                      other DHS components to ensure the completion of\n                      background investigations for all contractors accessing\n                      IT systems. The type of background investigations\n                      should be based on the risk level of their future\n                      position at CG and are required to be completed prior\n                      to the start of work. However, no CG guidance exists\n                      to require CG components to clear their contractors for\n                      suitability, especially those with sensitive IT positions.\n  TSA       TSA-IT-   The IT Security Awareness, Training and Education                       TSA-IT-\n             07-06    Plan lacks appropriate criteria for defining personnel                   08-06\n                      with significant IT responsibilities. Additionally, the\n                      personnel that are defined in the guidance are very\n                      limited and do not fully cover the scope of security\n                      responsibilities addressed in DHS requirements.\n  TSA       TSA-IT-   The following access control weakness surrounding              X\n             07-07              were identified:\n                      x     TSA management did not receive a response from\n                            the Federal Air Marshalls Service FAMS Division\n                                        user base for the May and for the July\n                            2007              review. Therefore, TSA assumed\n                            that no response indicated that all roles were\n                            appropriate and did not follow-up to ensure that a\n\n\n                                                 124\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                        Appendix C\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2008\n                                                                                     Disposition\nComponent   NFR #                           Description                           Closed       Repeat\n                            response was received.\n                      x     Privileges associated with each user were not\n                            included in the May and July 2007 reviews\n                            performed.\n                      We also noted that the accounts of terminated\n                      employees are not removed from the system in a\n                      timely manner. Although TSA requested that several\n                      of the accounts of terminated individuals be\n                      deactivated/end-dated by            the requests were\n                      not submitted to           until months after the\n                      employees departed and we were unable to obtain\n                      evidence that these accounts had in fact been\n                      deactivated/end-dated.\n  TSA       TSA-IT-   The following access control weakness surrounding             X\n             07-08         were identified:\n                      x     The       application and database does not meet\n                            the password requirements noted in the DHS\n                            Sensitive System Policy Directive 4300A.\n                      x           accounts of terminated individuals are not\n                            removed in a timely manner including one\n                            individual who had user account management\n                            capabilities within the system.\n                      x          application and database accounts are not\n                            being reviewed for appropriateness.\n  TSA       TSA-IT-   The following access control weakness surrounding             X\n             07-09         were identified:\n                      x     We were unable to obtain a copy of the\n                            password configuration. However, we performed\n                            a demonstration/walkthrough of the password with\n                            a          point of contact and was able to\n                            determine that the password configuration is not in\n                            compliance with DHS guidance.\n                      x     Although the       system has been configured to\n                            track and lock accounts that have not been utilized\n                            in 90 days, DHS guidance requires that accounts\n                            that have not been used in 30 days be deactivated.\n  TSA       TSA-IT-   An excessive number of individuals had user                   X\n             07-10    administration capabilities within      until the\n                      implementation of the centralized user management\n                      (August 19, 2007). We also noted the existence of two\n                      shared generic accounts with this privilege:\n                                                                 . These\n                      accounts have every privilege within the application,\n\n\n                                                 125\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                       Appendix C\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2008\n                                                                                    Disposition\nComponent   NFR #                            Description                         Closed       Repeat\n                      including the ability to create/delete/modify user\n                      accounts within\n  TSA       TSA-IT-        accounts are not immediately disabled upon an           X\n             07-11    employee's termination. Additionally, formalized\n                      policies and procedures for the periodic review of the\n                           accounts do not exist. Lastly,       access request\n                      forms are not consistently completed.\n  TSA       TSA-IT-   The accounts of terminated contractors are not end-          X\n             07-12    dated or disabled in a timely manner. Additionally, we\n                      noted that TSA has not developed policies or\n                      procedures that require a periodic review of\n                      application and database accounts, and their associated\n                      privileges, be performed to determine that access is\n                      appropriate.\n  TSA       TSA-IT-   Management had not adequately completed the                           TSA-IT-\n             07-13           package to include the             system.                      08-13\n                      Specifically,            management stated that\n                                  is a subsystem of       and a separate\n                      does not need to be completed since it is covered by\n                      the              Package. However, we determined that\n                      there is no documentation within the             that\n                      defines              as a subsystem and specifically\n                      addresses the appropriate security controls for\n                                  in this capacity.\n  TSA       TSA-IT-        and             systems have been configured to         X\n             07-14    automatically end date accounts that have not been\n                      used in six months; however, DHS guidance requires\n                      accounts that have been inactive for 30 days be\n                      disabled.\n  TSA       TSA-IT-   The policies and procedures over a formalized                         TSA-IT-\n             07-15    sanctioning process have not been fully developed and                  08-15\n                      implemented. Specifically, the policies and procedures\n                      do not include consequences for individuals who do\n                      not sign the computer access agreements or complete\n                      initial or refresher security awareness training.\n                      Furthermore, out of the nine individuals selected, only\n                      one had completed a Computer Access Agreement.\n\n                      Additionally, we determined that TSA allows\n                      individuals to complete security awareness training\n                      within sixty days of beginning work and gaining\n                      access to their      and application accounts.\n                      However DHS guidance requires that all individuals\n                      complete security awareness training prior to gaining\n                      access to the Information systems. Furthermore, out of\n                      the selection of nine individuals, one contractor had\n                      not completed initial security awareness training this\n\n                                                126\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                        Appendix C\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2008\n                                                                                     Disposition\nComponent   NFR #                            Description                          Closed       Repeat\n                      fiscal year and a second employee had not completed\n                      their refresher training for this fiscal year.\n  TSA       TSA-IT-   Procedures are not formally documented requiring the          X\n             07-16    review of the activities of the\n                      administrators. We also noted that reviews of the audit\n                      logs that document the actions of       administrators\n                      in the          operating environment are not being\n                      performed.\n  TSA       TSA-IT-   Procedures are not formally documented identifying            X\n             07-17    how change control should be performed when\n                      applying system software changes, including software\n                      patches, to the         operating system according to a\n                      standard schedule or in an emergency situation. While\n                      a policy exists, it lacks detailed procedures in order to\n                      be effective.\n  TSA       TSA-IT-   Configuration management weaknesses continue to                        TSA-IT-\n             07-18    exist on hosts supporting the       and                                 08-18\n                      applications and the\n  TSA       TSA-IT-   Patch management weaknesses continue to exist on                       TSA-IT-\n             07-19    hosts supporting the        and                                         08-19\n                      applications and the\n  TSA       TSA-IT-   Implementation of the formalized exit process for TSA                  TSA-IT-\n             07-20    personnel policies and procedures has not been fully                    08-20\n                      executed. Specifically, only eleven (11) out of a\n                      selection of thirty (30) TSA 1402 Forms, the\n                      Separating Non-Screener Employee and Contractor IT\n                      Certificates, were received. Additionally, of the eleven\n                      received, seven (7) of the forms did not have the\n                      appropriate TSA application(s) identified in order to\n                      deactivate the separating employee\xe2\x80\x99s accounts.\n                      Furthermore, we selected thirty (30) TSA 1163 forms,\n                      the Employee Exit Clearance form, for both\n                      contractors and TSA personnel and only received nine\n                      (9) completed forms. The purpose of the 1163 form is\n                      to document sign-offs for access removal of financial\n                      and related administrative system accounts for\n                      applications such as            and      access to the\n                              .\n  TSA       TSA-IT-   The following weaknesses were identified in the                        TSA-IT-\n             07-21                      change control process:                               08-21\n                      x     TSA has not fully documented policies and\n                            procedures surrounding the change control\n                            process for       to define the overlap in the\n                            responsibilities between        and           or\n                            guidance for ensuring that changes that are\n\n\n                                                  127\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                       Appendix C\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2008\n                                                                                    Disposition\nComponent   NFR #                            Description                         Closed       Repeat\n                            passed/deferred to           are tested and\n                            operate appropriately prior to approval by TSA\n                            and implementation into production.\n                      x     Additionally, TSA does not consistently retain\n                            documentation associated with the       and\n                            changes\n                      x     Policies and procedures for the emergency change\n                            control process are not documented.\n  TSA       TSA-IT-              has not fully developed and implemented                    TSA-IT-\n             07-22    their policies and procedures for the change control                   08-22\n                      and emergency change control process to guide staff in\n                      the implementation of this process at\n                      Specifically, we noted that the policies and procedures\n                      remain at a high-level and to do not include\n                      requirements for who is responsible for the initial\n                      approvals of the changes proposed by the vendor,\n                      including technical changes, the testing plan\n                      requirements for each phase of testing (\n                                    ) and the capacity in which           is\n                      involved, and the final approval of all changes to the\n                      system. Instead, the procedures detail the overall\n                      process and phases for              and\n                      change control, but lack detailed guidance for the roles\n                      and responsibilities executed by           personnel.\n\n                      Additionally, we noted that           follows the same\n                      change control process for emergency changes.\n                      However, the details surrounding that emergency\n                      change control process are not formally documented in\n                      the            procedures for           and\n                      For example, requirements for the categorization of\n                      priority levels and response time requirements for each\n                      priority level are not included.\n\n                      Furthermore,          has not fully implemented the\n                      procedures documented in the             and\n                                 System Change Procedures. Specifically,\n                      we noted that                     Checklists were not\n                      completed for changes made to the       suite as of\n                      June 2006.\n\n                      Upon review of a selection of changes, we determined\n                      that         is not consistently retaining\n                      documentation to support the change control and\n                      emergency change control process. Specifically, we\n                      inspected documentation associated with 30\n                      and            system changes and emergency changes\n                      and determined that various pieces of supporting\n\n                                                 128\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                        Appendix C\n\n                           Department of Homeland Security\n                       Information Technology Management Letter\n                                  September 30, 2008\n                                                                                     Disposition\nComponent   NFR #                            Description                          Closed       Repeat\n                      documentation (i.e., functional resolution documents,\n                      test plans for the different phases of testing, evidence\n                      of testing, and approvals) were insufficient and/or not\n                      available for all 30 of the changes and emergency\n                      changes selected for testing.\n  TSA       TSA-IT-   Coast Guard change controls related to Coast Guard                     TSA-IT-\n             07-23    and TSA financial systems are not appropriately                         08-23\n                      designed, operating effectively or in compliance with\n                      Office of Management and Budget (OMB) Circular\n                      No. A-130, Security of Federal Automated Information\n                      Resources, the DHS Sensitive System Policy Directive\n                      4300A requirements and the National Institute of\n                      Standards and Technology Special Publications (NIST\n                      SP). Coast Guard has and continues to operate a\n                      separate, informal and largely undocumented change\n                      development and implementation process effecting\n                      Coast Guard and TSA Financial Systems, outside of\n                      and conflicting with the formal change control process.\n                      Coast Guard is unable to provide a complete\n                      population of implemented scripts, to include the type,\n                      purpose and intended effect on both CG and TSA\n                      financial data. The implemented process is ineffective\n                      as the approval, testing and documentation procedures\n                      of the script changes are not appropriately designed\n                      and the current process is ineffective to control the\n                      intended and actual effect on TSA financial data.\n                      Coast Guard has only eliminated a small number of the\n                      scripts used on a consistent basis and is projecting that\n                      this approach will continue into the delivery of\n                      4.2 and beyond.\n  TSA       TSA-IT-   Civilian background investigations and                                 TSA-IT-\n             07-24    reinvestigations are not being performed in accordance                  08-24\n                      with DHS guidance. Specifically, sixteen (16) out of\n                      twenty (20) individual background investigations\n                      reviewed did not meet the DHS minimum standard of\n                      investigation of an Minimum Background\n                      Investigation (MBI) per the DHS Sensitive System\n                      Policy Directive 4300A.\n                      Furthermore, upon review of a selection of five (5)\n                      civilian personnel, one (1) individual had an\n                      investigation that had not been adjudicated since 1988.\n                      DHS guidance requires that civilian personnel are\n                      reinvestigated every ten (10) years.\n  TSA       TSA-IT-   TSA has not taken corrective actions to develop and           X\n             07-25    implement TSA specific change control policies and\n                      procedures for the TSA            change control or\n                      emergency change control process. Furthermore, upon\n\n\n                                                 129\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                  Appendix C\n\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2008\n                                                                               Disposition\nComponent   NFR #                         Description                       Closed       Repeat\n                    review of a selection of changes, we determined that\n                    TSA is not consistently implementing the change\n                    control process. Specifically, we inspected\n                    documentation associated with seven\n                    system changes and emergency changes and\n                    determined that supporting documentation (i.e., test\n                    plans, evidence of testing, and approvals to move the\n                    change into production) were not available for all\n                    seven of the changes and emergency changes selected\n                    for testing.\n                    Additionally, we noted that testing was not fully\n                    completed by TSA prior to passing the change for\n                    testing for three of the changes.\n\n\n\n\n                                             130\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                          Appendix D\n\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2008\n\n\n\n\n                                  Appendix D\n\n                            Management Comments\n\n\n\n\n                                         131\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                          Appendix D\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2008\n\n\n\n\n                                         132\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                                                                          Appendix D\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2008\n\n\n\n\n                                         133\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0c                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2008\n\n                    Report Distribution\n\n                    Department of Homeland Security\n\n                    Secretary\n                    Acting Deputy Secretary\n                    Chief of Staff for Operations\n                    Chief of Staff for Policy\n                    Acting General Counsel\n                    Executive Secretariat\n                    Under Secretary, Management\n                    Chief Information Officer\n                    Chief Financial Officer\n                    Chief Information Security Officer\n                    Assistant Secretary, Policy\n                    DHS GAO OIG Audit Liaison\n                    Chief Information Officer, Audit Liaison\n\n                    Office of Management and Budget\n\n                    Chief, Homeland Security Branch\n                    DHS OIG Budget Examiner\n\n                    Congress\n\n                    Congressional Oversight and Appropriations Committees, as\n                    appropriate\n\n\n\n\n                                          132\nInformation Technology Management Letter for the FY 2008 DHS Financial Statement Audit\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"